Analysis Overview
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
Threat Level: Known bad
The file 241105-dtxrgatbpg_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Detects Zeppelin payload
Smokeloader family
Gozi family
Darkcomet family
Formbook
RevengeRAT
Cobaltstrike family
Hawkeye family
Hakbit family
Modiloader family
Raccoon Stealer V1 payload
Qakbot/Qbot
Zloader, Terdot, DELoader, ZeusSphinx
Darkcomet
WarzoneRat, AveMaria
Zeppelin family
Formbook family
Qakbot family
Disables service(s)
Raccoon family
Danabot family
njRAT/Bladabindi
Gozi
Danabot x86 payload
Danabot
Njrat family
Babylon RAT
Dharma family
AgentTesla
Hakbit
Asyncrat family
Modifies WinLogon for persistence
RevengeRat Executable
Babylonrat family
AsyncRat
Xred family
ModiLoader Second Stage
Raccoon
Zloader family
Agenttesla family
Revengerat family
HawkEye
Warzonerat family
Dharma
SmokeLoader
NirSoft MailPassView
NirSoft WebBrowserPassView
Warzone RAT payload
AgentTesla payload
ReZer0 packer
Detected Nirsoft tools
Deletes shadow copies
Async RAT payload
RevengeRat Executable
Formbook payload
Renames multiple (193) files with added filename extension
CryptOne packer
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Disables RegEdit via registry modification
Boot or Logon Autostart Execution: Active Setup
Disables Task Manager via registry modification
Drops file in Drivers directory
Modifies Windows Firewall
Executes dropped EXE
Deletes itself
Checks BIOS information in registry
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Drops startup file
Obfuscated with Agile.Net obfuscator
Modifies file permissions
Checks computer location settings
Checks QEMU agent file
Maps connected drives based on registry
Command and Scripting Interpreter: PowerShell
Drops desktop.ini file(s)
Adds Run key to start application
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Delays execution with timeout.exe
Modifies registry class
Opens file in notepad (likely ransom note)
Runs ping.exe
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-26 05:51
Signatures
Cobaltstrike family
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Njrat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Revengerat family
Xred family
Zeppelin family
Zloader family
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win7-20240903-en
Max time kernel
888s
Max time network
900s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ebbef = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hodo\\difyyba.dll,DllRegisterServer" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2548 set thread context of 2696 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
Files
memory/2696-0-0x00000000000D0000-0x00000000000F5000-memory.dmp
memory/2696-2-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2696-4-0x00000000000D0000-0x00000000000F5000-memory.dmp
memory/2696-5-0x00000000000D0000-0x00000000000F5000-memory.dmp
memory/2696-7-0x00000000000D0000-0x00000000000F5000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win10v2004-20250217-en
Max time kernel
892s
Max time network
901s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fayfby = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Afocdo\\fuceubb.dll,DllRegisterServer" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 556 set thread context of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4752 wrote to memory of 556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4752 wrote to memory of 556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4752 wrote to memory of 556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 556 wrote to memory of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 556 wrote to memory of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 556 wrote to memory of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 556 wrote to memory of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 556 wrote to memory of 3704 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 104.208.16.89:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | banog.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | rayonch.org | udp |
| US | 8.8.8.8:53 | airnaa.org | udp |
Files
memory/3704-0-0x00000000010D0000-0x00000000010F5000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win7-20240903-en
Max time kernel
835s
Max time network
839s
Command Line
Signatures
SmokeLoader
Smokeloader family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0di3x.exe
"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"
Network
Files
memory/2132-1-0x0000000003070000-0x0000000003170000-memory.dmp
memory/2132-4-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2132-3-0x0000000000220000-0x000000000022A000-memory.dmp
\Users\Admin\AppData\Local\Temp\2F6.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
memory/2132-8-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2132-7-0x0000000000400000-0x0000000002FA6000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:03
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\201106-9sxjh7tvxj_pw_infected.zip
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:04
Platform
win10v2004-20250217-en
Max time kernel
11s
Max time network
43s
Command Line
Signatures
AgentTesla
Agenttesla family
Danabot
Danabot family
Danabot x86 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dharma
Dharma family
Formbook
Formbook family
Gozi
Gozi family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\31.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Dokumen4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dibromob\\PRECONCE.vbs" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feeed = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\feeed.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16.exe = "C:\\Windows\\System32\\16.exe" | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-100612193-3312047696-905266872-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-100612193-3312047696-905266872-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\16.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4272 set thread context of 2640 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Users\Admin\AppData\Roaming\2.exe |
| PID 2640 set thread context of 3524 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Windows\Explorer.EXE |
| PID 3904 set thread context of 4988 | N/A | C:\Users\Admin\AppData\Roaming\3.exe | C:\Users\Admin\AppData\Roaming\3.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\BlockLock.mpe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip32.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\bn.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\7z.sfx.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ca.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\br.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.chm.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\bg.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ba.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip32.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ca.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\7-Zip\History.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.id-471E51BF.[[email protected]].BOMBO | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\17.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\14.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\15.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\31.exe
"C:\Users\Admin\AppData\Local\Temp\31.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9069.tmp\906A.tmp\906B.bat C:\Users\Admin\AppData\Local\Temp\31.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\4.exe
C:\Users\Admin\AppData\Roaming\4.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\5.exe
C:\Users\Admin\AppData\Roaming\5.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\7.exe
C:\Users\Admin\AppData\Roaming\7.exe
C:\Users\Admin\AppData\Roaming\8.exe
C:\Users\Admin\AppData\Roaming\8.exe
C:\Users\Admin\AppData\Roaming\9.exe
C:\Users\Admin\AppData\Roaming\9.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
C:\Users\Admin\AppData\Roaming\10.exe
C:\Users\Admin\AppData\Roaming\10.exe
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\14.exe
C:\Users\Admin\AppData\Roaming\14.exe
C:\Users\Admin\AppData\Roaming\15.exe
C:\Users\Admin\AppData\Roaming\15.exe
C:\Users\Admin\AppData\Roaming\16.exe
C:\Users\Admin\AppData\Roaming\16.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\AppData\Roaming\17.exe
C:\Users\Admin\AppData\Roaming\17.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBED.tmp"
C:\Users\Admin\AppData\Roaming\18.exe
C:\Users\Admin\AppData\Roaming\18.exe
C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@3504
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5600 -ip 5600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3504 -ip 3504
C:\Users\Admin\AppData\Roaming\20.exe
C:\Users\Admin\AppData\Roaming\20.exe
C:\Users\Admin\AppData\Roaming\11.exe
"{path}"
C:\Users\Admin\AppData\Roaming\11.exe
"{path}"
C:\Users\Admin\AppData\Roaming\11.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 616
C:\Users\Admin\AppData\Roaming\7.exe
C:\Users\Admin\AppData\Roaming\7.exe
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Users\Admin\AppData\Roaming\21.exe
C:\Users\Admin\AppData\Roaming\21.exe
C:\Users\Admin\AppData\Roaming\22.exe
C:\Users\Admin\AppData\Roaming\22.exe
C:\Users\Admin\AppData\Roaming\21.exe
"{path}"
C:\Users\Admin\AppData\Roaming\23.exe
C:\Users\Admin\AppData\Roaming\23.exe
C:\Users\Admin\AppData\Roaming\24.exe
C:\Users\Admin\AppData\Roaming\24.exe
C:\Users\Admin\AppData\Roaming\25.exe
C:\Users\Admin\AppData\Roaming\25.exe
C:\Users\Admin\AppData\Roaming\26.exe
C:\Users\Admin\AppData\Roaming\26.exe
C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\28.exe
C:\Users\Admin\AppData\Roaming\28.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
Files
C:\Users\Admin\AppData\Local\Temp\9069.tmp\906A.tmp\906B.bat
| MD5 | ba36077af307d88636545bc8f585d208 |
| SHA1 | eafa5626810541319c01f14674199ab1f38c110c |
| SHA256 | bec099c24451b843d1b5331686d5f4a2beff7630d5cd88819446f288983bda10 |
| SHA512 | 933c2e5de3bc180db447e6864d7f0fa01e796d065fcd8f3d714086f49ec2f3ae8964c94695959beacf07d5785b569fd4365b7e999502d4afa060f4b833b68d80 |
C:\Users\Admin\AppData\Roaming\1.jar
| MD5 | a5d6701073dbe43510a41e667aaba464 |
| SHA1 | e3163114e4e9f85ffd41554ac07030ce84238d8c |
| SHA256 | 1d635c49289d43e71e2b10b10fbb9ea849a59eacedfdb035e25526043351831c |
| SHA512 | 52f711d102cb50fafefc2a9f2097660b950564ff8e9324471b9bd6b7355321d60152c78f74827b05b6332d140362bd2c638b8c9cdb961431ab5114e01851fbe4 |
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 715c838e413a37aa8df1ef490b586afd |
| SHA1 | 4aef3a0036f9d2290f7a6fa5306228abdbc9e6e1 |
| SHA256 | 4c21a70dbc6b9bc5e1ee1e7506ee205eecdb14cc45571423e6bcc86dbe4001e7 |
| SHA512 | af13c0efb1552bbfbb517e27ff70a00cba5c230e3d2e707bd28a9ccce40e0402793c4ecc32ba1418f19a3744b78b89e5c8709eae3ad5f883c474832c182de861 |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d2e2c65fc9098a1c6a4c00f9036aa095 |
| SHA1 | c61b31c7dbebdd57a216a03a3dc490a3ea9f5abd |
| SHA256 | 4d7421e6d0ac81e2292bcff52f7432639c4f434519db9cf2985b46a0069b2be8 |
| SHA512 | b5bd047ca4ee73965719669b29478a9d33665752e1dbe0f575a2da759b90819e64125675da749624b2d8c580707fd6a932685ab3962b5b88353981e857fe9793 |
memory/4272-82-0x0000000000400000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\5.exe
| MD5 | 4fcc5db607dbd9e1afb6667ab040310e |
| SHA1 | 48af3f2d0755f0fa644fb4b7f9a1378e1d318ab9 |
| SHA256 | 6fb0eacc8a7abaa853b60c064b464d7e87b02ef33d52b0e9a928622f4e4f37c7 |
| SHA512 | a46ded4552febd7983e09069d26ab2885a8087a9d43904ad0fedcc94a5c65fe0124bbf0a7d3e7283cb3459883e53c95f07fa6724b45f3a9488b147de42221a26 |
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | ec7506c2b6460df44c18e61d39d5b1c0 |
| SHA1 | 7c3e46cd7c93f3d9d783888f04f1607f6e487783 |
| SHA256 | 4e36dc0d37ead94cbd7797668c3c240ddc00fbb45c18140d370c868915b8469d |
| SHA512 | cf16f6e5f90701a985f2a2b7ad782e6e1c05a7b6dc0e644f7bdd0350f717bb4c9e819a8e9f383da0324b92f354c74c11b2d5827be42e33f861c233f3baab687e |
memory/2640-76-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\6.exe
| MD5 | cf04c482d91c7174616fb8e83288065a |
| SHA1 | 6444eb10ec9092826d712c1efad73e74c2adae14 |
| SHA256 | 7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf |
| SHA512 | 3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6 |
memory/4056-97-0x0000027152180000-0x0000027152181000-memory.dmp
C:\Users\Admin\AppData\Roaming\7.exe
| MD5 | 42d1caf715d4bd2ea1fade5dffb95682 |
| SHA1 | c26cff675630cbc11207056d4708666a9c80dab5 |
| SHA256 | 8ea389ee2875cc95c5cd2ca62ba8a515b15ab07d0dd7d85841884cbb2a1fceea |
| SHA512 | b21a0c4b19ffbafb3cac7fad299617ca5221e61cc8d0dca6d091d26c31338878b8d24fe98a52397e909aaad4385769aee863038f8c30663130718d577587527f |
C:\Users\Admin\AppData\Roaming\8.exe
| MD5 | dea5598aaf3e9dcc3073ba73d972ab17 |
| SHA1 | 51da8356e81c5acff3c876dffbf52195fe87d97f |
| SHA256 | 8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c |
| SHA512 | a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e |
memory/2992-116-0x0000000000D10000-0x0000000000DBC000-memory.dmp
memory/2992-120-0x0000000002FC0000-0x0000000002FD4000-memory.dmp
memory/2992-126-0x0000000005770000-0x0000000005802000-memory.dmp
memory/2992-125-0x0000000002FD0000-0x0000000002FD8000-memory.dmp
memory/2992-123-0x0000000005C30000-0x00000000061D4000-memory.dmp
memory/2896-133-0x00000000004A0000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\9.exe
| MD5 | ea88f31d6cc55d8f7a9260245988dab6 |
| SHA1 | 9e725bae655c21772c10f2d64a5831b98f7d93dd |
| SHA256 | 33f77b1bca36469dd734af67950223a7b1babd62a25cb5f0848025f2a68b9447 |
| SHA512 | 5952c4540b1ae5f2db48aaae404e89fb477d233d9b67458dd5cecc2edfed711509d2e968e6af2dbb3bd2099c10a4556f7612fc0055df798e99f9850796a832ad |
memory/3964-150-0x0000000000970000-0x0000000000A2E000-memory.dmp
memory/2992-154-0x0000000005760000-0x0000000005768000-memory.dmp
memory/2992-153-0x0000000005A40000-0x0000000005A84000-memory.dmp
memory/2992-152-0x0000000005720000-0x0000000005728000-memory.dmp
memory/3964-166-0x00000000052F0000-0x00000000052FA000-memory.dmp
memory/2480-185-0x00000000007E0000-0x00000000007F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\10.exe
| MD5 | 68f96da1fc809dccda4235955ca508b0 |
| SHA1 | f182543199600e029747abb84c4448ac4cafef82 |
| SHA256 | 34b63aa5d2cff68264891f11e8d6875a38ff28854e9723b1db9c154a5abe580c |
| SHA512 | 8512aa47d9d2062a8943239ab91a533ad0fa2757aac8dba53d240285069ddbbff8456df20c58e063661f7e245cb99ccbb49c6f9a81788d46072d5c8674da40f7 |
memory/2480-187-0x00000000007E0000-0x00000000007F2000-memory.dmp
memory/2640-183-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2480-181-0x00000000007E0000-0x00000000007F2000-memory.dmp
memory/4056-179-0x0000027152180000-0x0000027152181000-memory.dmp
C:\Users\Admin\AppData\Roaming\11.exe
| MD5 | 9d4da0e623bb9bb818be455b4c5e97d8 |
| SHA1 | 9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0 |
| SHA256 | 091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8 |
| SHA512 | 6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37 |
memory/3964-214-0x0000000005480000-0x0000000005488000-memory.dmp
memory/3964-218-0x0000000007EA0000-0x0000000007F3C000-memory.dmp
memory/3964-217-0x0000000007DA0000-0x0000000007DF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\12.exe
| MD5 | 192830b3974fa27116c067f019747b38 |
| SHA1 | 469fd8a31d9f82438ab37413dae81eb25d275804 |
| SHA256 | 116e5f36546b2ec14aba42ff69f2c9e18ecde3b64abb44797ac9efc6c6472bff |
| SHA512 | 74ebe5adb71c6669bc39fc9c8359cc6bc9bb1a77f5de8556a1730de23104fe95ec7a086c19f39706286b486314deafd7e043109414fd5ce0584f2fbbc6d0658a |
memory/4988-241-0x0000000000400000-0x000000000055D000-memory.dmp
C:\Users\Admin\AppData\Roaming\13.exe
| MD5 | 349f49be2b024c5f7232f77f3acd4ff6 |
| SHA1 | 515721802486abd76f29ee6ed5b4481579ab88e5 |
| SHA256 | 262d38348a745517600abe0719345c6d17c8705dd3b4d67e7a545a94b9388b60 |
| SHA512 | a6c9a96c7738f6408c28b1579009167136ce9d3d68deb4c02f57324d800bce284f5d63a9d589651e8ab37b2ac17bf94e9bd59c63aaa3b66f0891e55ba7d646a0 |
C:\Users\Admin\AppData\Roaming\14.exe
| MD5 | 9acd34bcff86e2c01bf5e6675f013b17 |
| SHA1 | 59bc42d62fbd99dd0f17dec175ea6c2a168f217a |
| SHA256 | 384fef8417014b298dca5ae9e16226348bda61198065973537f4907ac2aa1a60 |
| SHA512 | 9de65becdfc9aaab9710651376684ee697015f3a8d3695a5664535d9dfc34f2343ce4209549cbf09080a0b527e78a253f19169d9c6eb6e4d4a03d1b31ded8933 |
C:\Users\Admin\AppData\Roaming\15.exe
| MD5 | d43d9558d37cdac1690fdeec0af1b38d |
| SHA1 | 98e6dfdd79f43f0971c0eaa58f18bce0e8cbf555 |
| SHA256 | 501c921311164470ca8cb02e66146d8e3f36baa54bfc3ecb3a1a0ed3186ecbc5 |
| SHA512 | 9a357c1bbc153ddc017da08c691730a47ab0ff50834cdc69540ede093d17d432789586d8074a4a8816fb1928a511f2a899362bb03feab16ca231adfdc0004aca |
C:\Users\Admin\AppData\Roaming\16.exe
| MD5 | 56ba37144bd63d39f23d25dae471054e |
| SHA1 | 088e2aff607981dfe5249ce58121ceae0d1db577 |
| SHA256 | 307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3 |
| SHA512 | 6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-471E51BF.[[email protected]].BOMBO
| MD5 | f7db7a581ed16b7c14f5c4f275c38055 |
| SHA1 | 293d8bf8d242fdc4318d58cb0158ea65437df107 |
| SHA256 | 469950bb37ca61b3729ec985a383fd953cd4e77dbb889d7478af363f3a8acaa0 |
| SHA512 | 586b3178ceb52ea7f8156e9e45bd44b2ac0aed482a981da7538a361209df6d3574416089fa926da648dc86c360c4081597498f16082863c0691e8680f4f283d4 |
memory/2896-1566-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Roaming\17.exe
| MD5 | 15a05615d617394afc0231fc47444394 |
| SHA1 | d1253f7c5b10e7a46e084329c36f7692b41c6d59 |
| SHA256 | 596566f6cb70d55b1b0978a0fab4cffd5049559545fe7ee2fa3897ccbc46c013 |
| SHA512 | 6deea7c0c3795de7360b11fa04384e0956520a3a7bf5405d411b58487a35bba51eaca51c1e2dda910d4159c22179a9161d84da52193e376dfdf6bdfbe8e9f0f1 |
memory/3504-465-0x0000000000400000-0x000000000300E000-memory.dmp
C:\Users\Admin\AppData\Roaming\18.exe
| MD5 | bf15960dd7174427df765fd9f9203521 |
| SHA1 | cb1de1df0c3b1a1cc70a28629ac51d67901b17aa |
| SHA256 | 9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da |
| SHA512 | 7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074 |
memory/7520-4428-0x0000000000530000-0x000000000059E000-memory.dmp
memory/412-3475-0x0000000000400000-0x0000000002DE1000-memory.dmp
memory/4988-4626-0x0000000000400000-0x000000000055D000-memory.dmp
memory/7520-4746-0x0000000004F90000-0x0000000004FD0000-memory.dmp
memory/7520-4744-0x0000000004F40000-0x0000000004F92000-memory.dmp
C:\Users\Admin\AppData\Roaming\19.exe
| MD5 | ff96cd537ecded6e76c83b0da2a6d03c |
| SHA1 | ec05b49da2f8d74b95560602b39db3943de414cb |
| SHA256 | 7897571671717742304acde430e5959c09fd9c29fbbe808105f00a1f663927ac |
| SHA512 | 24a827fda9db76c030852ef2db73c6b75913c9ee55e130a3c9a7c6ff7aff0fb7192ff1c47cd266b91500a04657b2da61a5fc00e48e7fbc27a6cbc9b7d91daa4b |
C:\Users\Admin\AppData\Local\Temp\tmpBBED.tmp
| MD5 | 4bcf2f5368627df468065e706aa40a32 |
| SHA1 | 64dd5d63e1146c939631f7ddf7f56a5975f232d1 |
| SHA256 | 5c70f97adbe39bc449cacc19cbb040816fca258648ea16ff9b63dfde18f91b38 |
| SHA512 | b7751c39a0b315190edba791efe7b2a58995217d66b4e0f81ae8c156d9facc5a18ee80d049338bea7ce6df6b9d09ee9b7dd63828ca12edbd903f0cff9e6d9adc |
memory/448-4627-0x0000000000400000-0x0000000002DF6000-memory.dmp
memory/7520-5484-0x0000000005010000-0x000000000503D000-memory.dmp
C:\Users\Admin\AppData\Roaming\4.dll
| MD5 | 986d769a639a877a9b8f4fb3c8616911 |
| SHA1 | ba1cc29d845d958bd60c989eaa36fdaf9db7ea41 |
| SHA256 | c94374155dded12d9f90d16f03470b12b14c4df109a9cf8dbf26e9cd66850457 |
| SHA512 | 3a1e2a6b57278071906ee2d7b1f9ca6d1ed98084c80512da854e5c1f73e480b92f2b1cceccf87523184bf34250e3cb6a0e1172d7f5478777570f807820d9a187 |
memory/5600-4803-0x0000000000400000-0x0000000002DF6000-memory.dmp
memory/5876-6163-0x0000000002270000-0x00000000024DB000-memory.dmp
memory/3524-6207-0x00000000093F0000-0x00000000094F4000-memory.dmp
memory/3504-5886-0x0000000000400000-0x000000000300E000-memory.dmp
C:\Users\Admin\AppData\Roaming\20.exe
| MD5 | ddcdc714bedffb59133570c3a2b7913f |
| SHA1 | d21953fa497a541f185ed87553a7c24ffc8a67ce |
| SHA256 | be3e6008dde30cb959b90a332a79931b889216a9483944dc5c0d958dec1b8e46 |
| SHA512 | a1d728751490c6cf21f9597c6df6f8db857c28d224b2d03e6d25ce8f17557accbd8ef2972369337b9d3305d5b9029001e5300825c23ce826884dcee55b37562c |
memory/5188-6445-0x0000000000400000-0x000000000042D000-memory.dmp
memory/7208-6729-0x00000000006E0000-0x00000000006EA000-memory.dmp
C:\Users\Admin\AppData\Roaming\21.exe
| MD5 | 9a7f746e51775ca001efd6ecd6ca57ea |
| SHA1 | 7ea50de8dd8c82a7673b97bb7ccd665d98de2300 |
| SHA256 | c4c308629a06c9a4af93fbd747ed2421e2ff2460347352366e51b91d19737400 |
| SHA512 | 20cd6af47a92b396ae565e0a21d3acaa0d3a74bcdccc1506a55dea891da912b03256ba9900c2c089fe44d71210e3c100ba4601cf4d6c9b492a2ce0d323d4c57f |
memory/3524-6728-0x00000000093F0000-0x00000000094F4000-memory.dmp
memory/448-6736-0x0000000000400000-0x0000000002DF6000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | 48e9df7a479e3fd63064ec66e2283a45 |
| SHA1 | a8dcce44de655a97a3448758b397a37d1f7db549 |
| SHA256 | c7d8c3c379dcc42fa796b07b6a9155826d39cbd2f264bc68d22a63b17c8ef7df |
| SHA512 | 6cc839f118cad9982ec998665b409dc297a8cff9b23ec2a9105d15cf58d9adbf46d0048dda76c8e1574f6288d901912b7de373920b68b53dbda43d6075611016 |
memory/6512-6740-0x0000000000640000-0x00000000007C4000-memory.dmp
memory/5012-6742-0x0000000000400000-0x000000000044E000-memory.dmp
memory/6512-6741-0x0000000002A10000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Roaming\23.exe
| MD5 | 0dca3348a8b579a1bfa93b4f5b25cddd |
| SHA1 | 1ee1bcfd80cd7713093f9c053ef2d8c2cd673cd7 |
| SHA256 | c430a15c1712a571b0cd3ed0e5dfeefa7e78865a91bdc12e66666cd37c0e9654 |
| SHA512 | f0a17a940dd1c956f2578ed852e94631a9762fdd825ed5160b3758e427e8efa2ff0bfc83f239976b1d2765fefc8f9182e41c2da8f5746b36d4b7d189cb14a1b8 |
memory/6512-6752-0x00000000052F0000-0x000000000548A000-memory.dmp
C:\Users\Admin\AppData\Roaming\24.exe
| MD5 | 43728c30a355702a47c8189c08f84661 |
| SHA1 | 790873601f3d12522873f86ca1a87bf922f83205 |
| SHA256 | cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44 |
| SHA512 | b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e |
memory/6512-6755-0x00000000050D0000-0x00000000050D6000-memory.dmp
memory/6512-6760-0x0000000008200000-0x0000000008266000-memory.dmp
memory/5864-6761-0x00000000001B0000-0x000000000021A000-memory.dmp
memory/5600-6759-0x0000000000400000-0x0000000002DF6000-memory.dmp
C:\Users\Admin\AppData\Roaming\25.exe
| MD5 | 4bbcdf7f9deb1025ca56fa728d1fff48 |
| SHA1 | bdc80dfb759c221a850ac29664a27efd8d718a89 |
| SHA256 | d2c49ce7e49109214a98eaa2d39f0749c1e779bd139af1cadae55e1ccb55753b |
| SHA512 | ea78c4935864dcddbf6f0516e1d5c095c4814ac988ccc038d0dc11c1fab7127ded45ff35b12bad845422c20f45311101706f0ef14cb1d629277ae276a2535383 |
C:\Users\Admin\AppData\Roaming\26.exe
| MD5 | c3da5cb8e079024e6d554be1732c51cf |
| SHA1 | e8f4499366fe67c9ae6fd1f5acbf56a9b956d4c3 |
| SHA256 | d7479a2f9f080742d17077fb4ccfc24583fa7a35842ba505cd43ed266734ce1f |
| SHA512 | 2395e084aef01c2a3f18524ee2c860f21e785849ce588a6ac7f58b45b6f7ba6dd25c052c49cc41dd72b3ebb7d476d88787aa273af82afc6fe17eb9e0ad4d7043 |
memory/5864-6770-0x0000000007950000-0x00000000079A8000-memory.dmp
memory/7732-6769-0x0000000000390000-0x0000000000428000-memory.dmp
memory/5188-6771-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:25
Platform
win10v2004-20250217-en
Max time kernel
813s
Max time network
828s
Command Line
Signatures
Disables service(s)
Hakbit
Hakbit family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Reads user/profile data of web browsers
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Kills process with taskkill
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
memory/2132-0-0x00007FFD4BE13000-0x00007FFD4BE15000-memory.dmp
memory/2132-1-0x0000000000470000-0x000000000048A000-memory.dmp
memory/2132-2-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhek2yr3.xom.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3372-20-0x000001E467AF0000-0x000001E467B12000-memory.dmp
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
| MD5 | 7fa50ae5d40044565c264f2d2322a859 |
| SHA1 | 1b26c692310ebd0546896ccfe2043a49ba485ebf |
| SHA256 | de7020a9b0ed46676d67c0268c631b0257fae53da08ba528d107aa3bdb365146 |
| SHA512 | 61da9cfd5809c661aadd0e9d1d20a6129043fd562675235ca02c835b4680cd6c978fbf081fc53c5823c4f480f700f99908d6ba2620bdb3ca49a89e66a3b56861 |
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi
| MD5 | fc5b52f202cc2bbed0c65a017b7d150d |
| SHA1 | 8079caf6740028f92fcb582ef78fdb157c0b9aa4 |
| SHA256 | 7a6696021e0dad2a240cda388d55ed7c16a00bd08f6dcb2b228e3bdb8177f134 |
| SHA512 | 41287e23f3b0c64311df771e5cbb3786ff15a06efd6e08647e10fb2d2b90c98c3d29c288c744975874e6fe4ff4d3e7fc243618a665c2ac4934e041e1257164e8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2132-155-0x00007FFD4BE13000-0x00007FFD4BE15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/2132-255-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]
| MD5 | 963135cebf23bce6ec91274cbbb8cf3c |
| SHA1 | 355b192c7e653423b3665a73f79a2e4a0f595a77 |
| SHA256 | 0fc3ec4e0d5e74f16892edc40a3c54c2c4a1a61e542b49166ee9c6ab6421c98e |
| SHA512 | c2f444c85f0d651d24299f1c6b3118c7958253a69c46a10fa6860fd318e4c7e7cebae2af97eaca6add883e1584ff3d8f190527060bfea6a3ba1fd19d18be39f9 |
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi
| MD5 | 5c56a470834f00229e8448273df29cd9 |
| SHA1 | ba20188164386361feeb3a581685b0f65e07273b |
| SHA256 | e9b0ac3c7de891b9d7c61d62aff864538cb742f741999fa7163ce2198cc1baa2 |
| SHA512 | c3cdd01a67c8b4d7cbe73220ce949381297af993e2541cef58ca8935a2817d18d25b237f5e23ea36f7dd59e9d3ca11f55ad41e7a889d8b2680504ec160cc4c60 |
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
| MD5 | 31751f731a90eaa4ff5b20769b92a7a3 |
| SHA1 | ea2de10623cf801e5a1125173809d812684a173d |
| SHA256 | 5c37fef08fd50031d45194412f49a45ef8723c95896feb06165bcbc7f75513ca |
| SHA512 | 8bef2d17a4709a2d32b27973f3110f21f295685c3993bfdfed857a4df4aa0e7b84e836085f96bd3f565bbe77ec1bd80c4596b9c572c10a32ad91467137e1c7fe |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
| MD5 | 186ca2e26e9c81d12a9ad78010b851df |
| SHA1 | 77e7691533cbe79c123d46b3a9f97e5f3a5b93b9 |
| SHA256 | 57c49a407d363bb7e29f0e2307916e3348a0e4d457836f637234e28ecc55af1b |
| SHA512 | 614c495b1f1a60d14f87116aa07f8864320b03ef11fe637118b1ec300e6fe71a584284c6988f6db99975616088ac4ab1c16cb9425db7ca97cfffb0bffc6d91ad |
memory/2132-502-0x00007FFD4BE10000-0x00007FFD4C8D1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win7-20240903-en
Max time kernel
900s
Max time network
844s
Command Line
Signatures
HawkEye
Hawkeye family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1072 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1072 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 1900 set thread context of 880 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1900 set thread context of 2508 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe
"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Users\Admin\AppData\Roaming\wou\odm.exe
"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
C:\Users\Admin\AppData\Roaming\wou\odm.exe
C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\WKSGB
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\wou\WKSGB
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | mail.jakartaalatkantor.com | udp |
| US | 8.8.8.8:53 | mail.jakartaalatkantor.com | udp |
Files
memory/656-75-0x00000000001B0000-0x00000000001B2000-memory.dmp
memory/2144-74-0x0000000002000000-0x0000000002002000-memory.dmp
C:\Users\Admin\AppData\Roaming\wou\odm.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\wou\zbackup- Copy.png
| MD5 | 6285049d1e4f854943856164652da8d8 |
| SHA1 | f29c791ddb940be594bfb431eca7d4cb6d9e2688 |
| SHA256 | 0aeb7e8a131b53991567db463519ea005d41ddd1f227a744d4f7066805ce684f |
| SHA512 | 2bb954a07f82c19b26d745ac19cd66e6eb82c525db0bd6e9e6880b0077465897d7fc49521d40361262c9dccdba4de6cead5b7d8dc09a9beaae2d668537097291 |
C:\Users\Admin\AppData\Roaming\wou\ait.ico
| MD5 | f6efac00916f3425d6079ae5a956df11 |
| SHA1 | 3153abfe46186c1186882f67444c82c544615fb7 |
| SHA256 | 1e866a8f06f125fa1c439f9cb00199be827e74b87eae12368bd1e2cf7ab28728 |
| SHA512 | 0ba766d5816057941ad9afc80f7b20620b0120411357fe2b97ab0a425b32d4309396ed4866c8b23c92893ed68971c4a8a8c6f25ffa411ba0c70b602a63bd4743 |
C:\Users\Admin\AppData\Roaming\wou\rid.ico
| MD5 | a5f2dcee6a2a6047aa8fdde1ae2ce290 |
| SHA1 | 7a082661c9a3431cd89ed4d9959178d60b9570f7 |
| SHA256 | 7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625 |
| SHA512 | e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a |
C:\Users\Admin\AppData\Roaming\wou\WKSGB
| MD5 | 9375872d82fbfe00eb4f6e608aa170d8 |
| SHA1 | b6d6f7059c025075141293cc0c1f80c1063ef75b |
| SHA256 | a1b44347af8b2b2bf0409bb96e99f012035dc494ef44db409dbcd2bb726ff2e9 |
| SHA512 | f05e7f8c5d4edc6c41c0a2e4c63492a8578a4ae44e093396214fe422b90bd6e6d5fc98e1d8c4ee2253845a8b1a0bf202cd27450f641a8261d7f660b26162b863 |
memory/1900-109-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-108-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-107-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1900-104-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-102-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-100-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1900-98-0x0000000000400000-0x0000000000484000-memory.dmp
memory/1628-113-0x00000000002B0000-0x000000000037C000-memory.dmp
memory/1628-116-0x00000000002B0000-0x000000000037C000-memory.dmp
memory/1628-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1628-119-0x00000000002B0000-0x000000000037C000-memory.dmp
memory/1628-117-0x00000000002B0000-0x000000000037C000-memory.dmp
C:\Users\Admin\AppData\Roaming\wou\spd
| MD5 | 098f6bcd4621d373cade4e832627b4f6 |
| SHA1 | a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 |
| SHA256 | 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 |
| SHA512 | ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff |
memory/880-121-0x0000000000400000-0x000000000041B000-memory.dmp
memory/880-124-0x0000000000400000-0x000000000041B000-memory.dmp
memory/880-122-0x0000000000400000-0x000000000041B000-memory.dmp
memory/880-125-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2508-126-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2508-127-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2508-129-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2508-136-0x0000000000400000-0x0000000000458000-memory.dmp
memory/2508-134-0x0000000000460000-0x00000000004C7000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:16
Platform
win10v2004-20250217-en
Max time kernel
616s
Max time network
630s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wou\odm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe
"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"
C:\Users\Admin\AppData\Roaming\wou\odm.exe
"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
C:\Users\Admin\AppData\Roaming\wou\odm.exe
"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
C:\Users\Admin\AppData\Roaming\wou\odm.exe
C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\ICGJZ
C:\Users\Admin\AppData\Roaming\wou\odm.exe
C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\ICGJZ
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
C:\Users\Admin\AppData\Roaming\wou\odm.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\wou\rid.ico
| MD5 | a5f2dcee6a2a6047aa8fdde1ae2ce290 |
| SHA1 | 7a082661c9a3431cd89ed4d9959178d60b9570f7 |
| SHA256 | 7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625 |
| SHA512 | e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a |
C:\Users\Admin\AppData\Roaming\wou\ICGJZ
| MD5 | 2fc79199952da8ef486b513a911b6fd4 |
| SHA1 | c840b0684f2ebdbbf603fabf4a32e629453c48d0 |
| SHA256 | a4ff9e68389eceb7e9fe4a6c428d156e9b5536e1dc1f83f05e3c69ce312f465c |
| SHA512 | 7b4fd2a5fb42fbfd4e4f5b4a19b82aa4761bf40192eef83321a034cd531e8a7309e5c68628e594435ae0869579bc251d8eef168c833dc8dbbf75e68d41ec0f4d |
Analysis: behavioral21
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:19
Platform
win7-20240903-en
Max time kernel
900s
Max time network
904s
Command Line
Signatures
Babylon RAT
Babylonrat family
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\CNE3w4dbZ4X2.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\qNnnGCoKsVRkgweJ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\CRVaYzFhPtSQ.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
Njrat family
WarzoneRat, AveMaria
Warzonerat family
njRAT/Bladabindi
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe | C:\Windows\svehosts.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe | C:\Windows\svehosts.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." | C:\Windows\svehosts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." | C:\Windows\svehosts.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svehosts.exe | C:\Users\Admin\AppData\Local\Temp\IZwl17kj3Bn2NUkx.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\C3yETByLrPEFgGqJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qNnnGCoKsVRkgweJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kqpGhG2vgjqvzike.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IZwl17kj3Bn2NUkx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aGJSTMlSXHtdJWF1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\excelsl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svehosts.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| N/A | N/A | C:\Windows\svehosts.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
C:\Users\Admin\AppData\Local\Temp\IZwl17kj3Bn2NUkx.exe
"C:\Users\Admin\AppData\Local\Temp\IZwl17kj3Bn2NUkx.exe"
C:\Users\Admin\AppData\Local\Temp\qNnnGCoKsVRkgweJ.exe
"C:\Users\Admin\AppData\Local\Temp\qNnnGCoKsVRkgweJ.exe"
C:\Users\Admin\AppData\Local\Temp\C3yETByLrPEFgGqJ.exe
"C:\Users\Admin\AppData\Local\Temp\C3yETByLrPEFgGqJ.exe"
C:\Users\Admin\AppData\Local\Temp\kqpGhG2vgjqvzike.exe
"C:\Users\Admin\AppData\Local\Temp\kqpGhG2vgjqvzike.exe"
C:\Users\Admin\AppData\Local\Temp\aGJSTMlSXHtdJWF1.exe
"C:\Users\Admin\AppData\Local\Temp\aGJSTMlSXHtdJWF1.exe"
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\Documents\excelsl.exe
"C:\Users\Admin\Documents\excelsl.exe"
C:\Windows\svehosts.exe
"C:\Windows\svehosts.exe"
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 2908
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
Files
memory/2500-0-0x00000000749B1000-0x00000000749B2000-memory.dmp
memory/2500-1-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/2500-2-0x00000000749B0000-0x0000000074F5B000-memory.dmp
\Users\Admin\AppData\Local\Temp\IZwl17kj3Bn2NUkx.exe
| MD5 | 2819e45588024ba76f248a39d3e232ba |
| SHA1 | 08a797b87ecfbee682ce14d872177dae1a5a46a2 |
| SHA256 | b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93 |
| SHA512 | a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a |
C:\Users\Admin\AppData\Local\Temp\C3yETByLrPEFgGqJ.exe
| MD5 | 3e804917c454ca31c1cbd602682542b7 |
| SHA1 | 1df3e81b9d879e21af299f5478051b98f3cb7739 |
| SHA256 | f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1 |
| SHA512 | 28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf |
\Users\Admin\AppData\Local\Temp\qNnnGCoKsVRkgweJ.exe
| MD5 | 9133c2a5ebf3e25aceae5a001ca6f279 |
| SHA1 | 319f911282f3cded94de3730fa0abd5dec8f14be |
| SHA256 | 7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d |
| SHA512 | 1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e |
memory/1520-31-0x00000000749B0000-0x0000000074F5B000-memory.dmp
\Users\Admin\AppData\Local\Temp\kqpGhG2vgjqvzike.exe
| MD5 | f07d2c33e4afe36ec6f6f14f9a56e84a |
| SHA1 | 3ebed0c1a265d1e17ce038dfaf1029387f0b53ee |
| SHA256 | 309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca |
| SHA512 | b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2 |
\Users\Admin\AppData\Local\Temp\aGJSTMlSXHtdJWF1.exe
| MD5 | e87459f61fd1f017d4bd6b0a1a1fc86a |
| SHA1 | 30838d010aad8c9f3fd0fc302e71b4cbe6f138c0 |
| SHA256 | ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727 |
| SHA512 | dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2 |
\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
| MD5 | 9d2a888ca79e1ff3820882ea1d88d574 |
| SHA1 | 112c38d80bf2c0d48256249bbabe906b834b1f66 |
| SHA256 | 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138 |
| SHA512 | 17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840 |
memory/2620-63-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2620-60-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-58-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-56-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-54-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-52-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-50-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-48-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2620-46-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2500-40-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/2232-39-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1520-37-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1520-36-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/2500-66-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/2968-90-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-88-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2968-85-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-83-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-81-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-79-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-77-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2968-75-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2908-117-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-114-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-118-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2908-111-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-109-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-107-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1752-126-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2908-105-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-103-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2908-101-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1752-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1752-135-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1752-133-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1752-131-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1752-129-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1752-127-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1752-123-0x0000000000400000-0x0000000000554000-memory.dmp
memory/2232-165-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1520-207-0x00000000749B0000-0x0000000074F5B000-memory.dmp
memory/1520-213-0x00000000749B0000-0x0000000074F5B000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:19
Platform
win10v2004-20250217-en
Max time kernel
900s
Max time network
902s
Command Line
Signatures
AsyncRat
Asyncrat family
Babylon RAT
Babylonrat family
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\rXZKDfeVJNCV.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\CvhSrm1yQ68e.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\AbERMHQmjybblnNO.exe | N/A |
Njrat family
WarzoneRat, AveMaria
Warzonerat family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\45GtnKeOWD0m4ZTj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe | C:\Windows\svehosts.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe | C:\Windows\svehosts.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." | C:\Windows\svehosts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." | C:\Windows\svehosts.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svehosts.exe | C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uUk5ZRNuOj3UONx6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\excelsl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AbERMHQmjybblnNO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\45GtnKeOWD0m4ZTj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fOHjnbJ21VWO0xZo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svehosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mht3MMJLZPRn4v3k.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\prndrvest.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| N/A | N/A | C:\Windows\svehosts.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe
"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"
C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe
"C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe"
C:\Users\Admin\AppData\Local\Temp\AbERMHQmjybblnNO.exe
"C:\Users\Admin\AppData\Local\Temp\AbERMHQmjybblnNO.exe"
C:\Users\Admin\AppData\Local\Temp\Mht3MMJLZPRn4v3k.exe
"C:\Users\Admin\AppData\Local\Temp\Mht3MMJLZPRn4v3k.exe"
C:\Users\Admin\AppData\Local\Temp\45GtnKeOWD0m4ZTj.exe
"C:\Users\Admin\AppData\Local\Temp\45GtnKeOWD0m4ZTj.exe"
C:\Users\Admin\AppData\Local\Temp\uUk5ZRNuOj3UONx6.exe
"C:\Users\Admin\AppData\Local\Temp\uUk5ZRNuOj3UONx6.exe"
C:\Users\Admin\AppData\Local\Temp\fOHjnbJ21VWO0xZo.exe
"C:\Users\Admin\AppData\Local\Temp\fOHjnbJ21VWO0xZo.exe"
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 724 -ip 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1656
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2024 -ip 2024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1160
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 1084
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 1744
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3868 -ip 3868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1148
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\Documents\excelsl.exe
"C:\Users\Admin\Documents\excelsl.exe"
C:\Windows\svehosts.exe
"C:\Windows\svehosts.exe"
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3064 -ip 3064
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1164
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F9B.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\prndrvest.exe
"C:\Users\Admin\AppData\Roaming\prndrvest.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
| US | 8.8.8.8:53 | sandyclark255.hopto.org | udp |
Files
memory/724-0-0x0000000074F02000-0x0000000074F03000-memory.dmp
memory/724-1-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/724-2-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/724-4-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/724-3-0x0000000074F02000-0x0000000074F03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uwfVimZOmgDut3ZG.exe
| MD5 | 2819e45588024ba76f248a39d3e232ba |
| SHA1 | 08a797b87ecfbee682ce14d872177dae1a5a46a2 |
| SHA256 | b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93 |
| SHA512 | a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a |
C:\Users\Admin\AppData\Local\Temp\Mht3MMJLZPRn4v3k.exe
| MD5 | 3e804917c454ca31c1cbd602682542b7 |
| SHA1 | 1df3e81b9d879e21af299f5478051b98f3cb7739 |
| SHA256 | f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1 |
| SHA512 | 28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf |
C:\Users\Admin\AppData\Local\Temp\uUk5ZRNuOj3UONx6.exe
| MD5 | f07d2c33e4afe36ec6f6f14f9a56e84a |
| SHA1 | 3ebed0c1a265d1e17ce038dfaf1029387f0b53ee |
| SHA256 | 309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca |
| SHA512 | b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2 |
memory/4892-68-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/4892-58-0x0000000074F00000-0x00000000754B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45GtnKeOWD0m4ZTj.exe
| MD5 | 590acb5fa6b5c3001ebce3d67242aac4 |
| SHA1 | 5df39906dc4e60f01b95783fc55af6128402d611 |
| SHA256 | 7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509 |
| SHA512 | 4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba |
C:\Users\Admin\AppData\Local\Temp\AbERMHQmjybblnNO.exe
| MD5 | 9133c2a5ebf3e25aceae5a001ca6f279 |
| SHA1 | 319f911282f3cded94de3730fa0abd5dec8f14be |
| SHA256 | 7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d |
| SHA512 | 1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e |
memory/4892-33-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/3868-80-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/4504-81-0x0000000005110000-0x00000000056B4000-memory.dmp
memory/4504-83-0x0000000004C00000-0x0000000004C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
| MD5 | 9d2a888ca79e1ff3820882ea1d88d574 |
| SHA1 | 112c38d80bf2c0d48256249bbabe906b834b1f66 |
| SHA256 | 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138 |
| SHA512 | 17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840 |
memory/3568-78-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4504-84-0x0000000004B70000-0x0000000004B7A000-memory.dmp
memory/4504-77-0x0000000000280000-0x00000000002E4000-memory.dmp
memory/4828-82-0x0000000074F00000-0x00000000754B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fOHjnbJ21VWO0xZo.exe
| MD5 | e87459f61fd1f017d4bd6b0a1a1fc86a |
| SHA1 | 30838d010aad8c9f3fd0fc302e71b4cbe6f138c0 |
| SHA256 | ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727 |
| SHA512 | dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2 |
memory/4828-73-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/724-86-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/4504-87-0x0000000004E10000-0x0000000004E34000-memory.dmp
memory/4504-88-0x00000000044D0000-0x00000000044E2000-memory.dmp
memory/3488-91-0x0000000000400000-0x0000000000554000-memory.dmp
memory/3488-94-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1696-97-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1696-100-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1744-112-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-110-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/4892-114-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/1744-115-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-116-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-107-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-120-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-119-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1744-117-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/4772-124-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4772-129-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4772-127-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/3172-133-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/4828-134-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/3868-135-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/3868-195-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/4892-208-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/4504-210-0x0000000008F70000-0x0000000008FD6000-memory.dmp
memory/4504-211-0x00000000092C0000-0x000000000935C000-memory.dmp
memory/4848-218-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4848-220-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4848-223-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4848-222-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4880-221-0x0000000000740000-0x0000000000741000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\excelsl.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/1736-230-0x0000000000400000-0x00000000004C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F9B.tmp.bat
| MD5 | 291f75de96c28eabc982b39a2e03ff81 |
| SHA1 | 968b1b8e3f24db45e0dfc25c31de95842e4a7d1d |
| SHA256 | 4f0e52bc07089d6915b3b2d7ebcfd5959b8d0957df3cdd1d53dd6893d6f99c9b |
| SHA512 | 5cef4fa92ed7f92844e20e85802fee5b499b43918a2e1dcc51ed072b5dcd99b476f13b3ff386418f47657f8a9df669f0894d509b351104eb9335398d1d130083 |
memory/1744-237-0x0000000000400000-0x00000000004C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\prndrvest.exe
| MD5 | 510a3d1e0a7098d26c8b2e300b5d1784 |
| SHA1 | 82b0242cbca440d80e2f3ffd545ee8dea025045d |
| SHA256 | 37954d3e3a47ce72b9daf484b58f95ee0546dcca7495823f730be62e8540a4e0 |
| SHA512 | 7cdd49d9406cc377649700cb1af900aa752286db4a5a262201afdaf6c16b66a295f15b139c96a0a7ac60068cea66593c3b727e0f7900e3db6efd11350f0aecc5 |
memory/1744-242-0x0000000000400000-0x00000000004C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:04
Platform
win10v2004-20250217-en
Max time kernel
251s
Max time network
265s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\241105-dtxrgatbpg_pw_infected.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:03
Platform
win10v2004-20250217-en
Max time kernel
92s
Max time network
105s
Command Line
Signatures
SmokeLoader
Smokeloader family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0di3x.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0di3x.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0di3x.exe
"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1640 -ip 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 376
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
memory/1640-1-0x0000000003220000-0x0000000003320000-memory.dmp
memory/1640-2-0x0000000003200000-0x000000000320A000-memory.dmp
memory/1640-3-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F6.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/1640-10-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1640-9-0x0000000003200000-0x000000000320A000-memory.dmp
memory/1640-8-0x0000000000400000-0x0000000002FA6000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:03
Platform
win10v2004-20250217-en
Max time kernel
106s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\201106-9sxjh7tvxj_pw_infected.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:04
Platform
win10v2004-20250217-en
Max time kernel
85s
Max time network
99s
Command Line
Signatures
SmokeLoader
Smokeloader family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1272 set thread context of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
| PID 1272 wrote to memory of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe
"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe
"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
memory/1272-2-0x0000000000C20000-0x0000000000C2B000-memory.dmp
memory/1272-1-0x0000000000C60000-0x0000000000D60000-memory.dmp
memory/3608-3-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3608-4-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D47F.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
memory/3608-10-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:04
Platform
win7-20250207-en
Max time kernel
10s
Max time network
16s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:19
Platform
win7-20240903-en
Max time kernel
899s
Max time network
905s
Command Line
Signatures
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\61711a49-ba24-4c40-b214-cf8bd1e17b96\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2896 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1200 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Windows\system32\taskeng.exe
taskeng.exe {6AE70FB2-92C1-415B-B1CF-98B1F1CF4AFD} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2552 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 948 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2520 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2448 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | ymad.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
Files
memory/1580-0-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1580-2-0x0000000000620000-0x0000000000720000-memory.dmp
memory/1580-3-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1580-4-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1580-6-0x0000000000620000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\61711a49-ba24-4c40-b214-cf8bd1e17b96\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
| MD5 | ead18f3a909685922d7213714ea9a183 |
| SHA1 | 1270bd7fd62acc00447b30f066bb23f4745869bf |
| SHA256 | 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18 |
| SHA512 | 6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91 |
memory/1580-9-0x0000000003570000-0x0000000003619000-memory.dmp
memory/1580-10-0x0000000003570000-0x0000000003619000-memory.dmp
memory/2896-15-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1580-14-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1580-13-0x0000000000620000-0x0000000000720000-memory.dmp
memory/1580-12-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-17-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-18-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-20-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-21-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-23-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-25-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-27-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-28-0x00000000097C0000-0x0000000009869000-memory.dmp
memory/1300-30-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1300-31-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-33-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1200-34-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2896-38-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1200-39-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1300-40-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2516-41-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2516-45-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1200-47-0x0000000000400000-0x00000000004A9000-memory.dmp
C:\Users\Public\Documents\_readme.txt
| MD5 | d75064cfaac9c92f52aadf373dc7e463 |
| SHA1 | 36ea05181d9b037694929ec81f276f13c7d2655c |
| SHA256 | 163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508 |
| SHA512 | 43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1 |
memory/2552-84-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-85-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-86-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-88-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-90-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-92-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/948-95-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2552-98-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/948-100-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1988-102-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1988-104-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/948-107-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3032-108-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3032-110-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2520-153-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2448-179-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2520-183-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2448-187-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/904-191-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/904-195-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2644-201-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2644-205-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2448-207-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1548-248-0x0000000000400000-0x00000000004A9000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:26
Platform
win7-20240903-en
Max time kernel
891s
Max time network
900s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe | C:\Windows\system32\MSSCS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe | C:\Windows\system32\MSSCS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\MSSCS.exe | N/A |
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\MSSCS.exe | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| File opened for modification | C:\Windows\system32\MSSCS.exe | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| File opened for modification | C:\Windows\system32\MSSCS.exe | C:\Windows\system32\MSSCS.exe | N/A |
| File created | C:\Windows\system32\MSSCS.exe | C:\Windows\system32\MSSCS.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\MSSCS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jrph2tzn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CF3.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xesfxzl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D41.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dz4qy75b.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DFC.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\huun25pq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E69.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\02sv4ljr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EB7.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ikbccq7n.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EE6.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\elb-jps5.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F34.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ja1kvhb_.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F63.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7ab2nsa.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F92.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kqg1w0qa.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FD0.tmp"
Network
| Country | Destination | Domain | Proto |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp |
Files
memory/2348-0-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp
memory/2348-1-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2348-2-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2348-3-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp
memory/2348-4-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
C:\Windows\System32\MSSCS.exe
| MD5 | 6fe3fb85216045fdf8186429c27458a7 |
| SHA1 | ef2c68d0b3edf3def5d90f1525fe87c2142e5710 |
| SHA256 | 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550 |
| SHA512 | d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c |
memory/2676-12-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2676-13-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2348-14-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2676-15-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2676-16-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp
memory/2308-24-0x000000001B7A0000-0x000000001BA82000-memory.dmp
memory/2308-26-0x0000000001D90000-0x0000000001D98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jrph2tzn.cmdline
| MD5 | 2e067df066fa741ee98d266851dd67ff |
| SHA1 | f2684310fe495d5315b148af3b4a71549935ae98 |
| SHA256 | 9a4d279e0d477b79c91d8072cb65225581e2f7db1cd44f18f09cc83db77ed3e3 |
| SHA512 | 1ce66b3b0b78b1cddb09183d22430e8a76b90b7ab011b4f8391af0d76bb3bf39f16f08937117ce7d6cbef3ab2ddaf62c6a0bf559da343d45ddbf576b58fdd1a7 |
C:\Users\Admin\AppData\Local\Temp\jrph2tzn.0.vb
| MD5 | 88cc385da858aaa7057b54eaeb0df718 |
| SHA1 | b108224d4686b5ca3faaeb1c728dfba8740a6eca |
| SHA256 | 08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020 |
| SHA512 | 4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7 |
C:\Users\Admin\AppData\Local\Temp\vbc1CF3.tmp
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RES1CF4.tmp
| MD5 | aedc0ffeb8d957a595e530419a2f1bad |
| SHA1 | 9c495b96b2075027ac63faf9e67e3c6f4fc75894 |
| SHA256 | 4bda855881cbca65bdf93d56a1291f93d84ca3dd2a5b65b09b553d7fd9a80a3c |
| SHA512 | 47e2d009c3da5d328e7f8ec8dd211d78ba711277a160fdfa1e120e4ef84b56a9dcc2afe3d733f0ea9482e292fd1b8613817634e76b459873aac7588adcf858a0 |
C:\Users\Admin\AppData\Local\Temp\6xesfxzl.cmdline
| MD5 | eb2ff26e00b815fa53a358cf874a7671 |
| SHA1 | bb4576e94ce7d6e4f0aaff5efa8e83ed6bc044de |
| SHA256 | 5c5b0f04e4ccbad97d2e2717624160b21751f35bd077c2032d6a96223495b43d |
| SHA512 | 9aea482248a4f0fc551e87fe66417c6bb3abdc7c88a0ca27292217330e7881ddbcaaa3f406ead4c72508298775efbdbd1dc26350f629fc22eccd4c85ae1cad52 |
C:\Users\Admin\AppData\Local\Temp\6xesfxzl.0.vb
| MD5 | debab8fb1bbcbf74ca2ac313d4d5aa7d |
| SHA1 | 2a4058378b3df8ef9aa547d1511a425ef043d848 |
| SHA256 | 0f1d45b4fd6c36693c7d96bda036a41dccffa4313b92940df6ad180982607744 |
| SHA512 | 8beaad01c2f7541532842aca72324eeee7c582d50db2454bab3288dcb2922fdc1f2a0a3e2347a74e744e92c9f8304916c0f52a18754d2e3a5eb2fe6f9fbf6567 |
C:\Users\Admin\AppData\Local\Temp\vbc1D41.tmp
| MD5 | 41857ef7e71c255abd4d5d2a9174e1a6 |
| SHA1 | 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c |
| SHA256 | dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302 |
| SHA512 | ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac |
C:\Users\Admin\AppData\Local\Temp\RES1D42.tmp
| MD5 | 86e2086136edb684d0495f4aaf5c4a2f |
| SHA1 | 2277a85ed17fa0ed767f7d5f4b432d576ed9accb |
| SHA256 | 2b9aeeb2081dc53127310977b4e4e87aea801a8d420c632920c131a38a075562 |
| SHA512 | 0704bca3ade34c8777e41ede9e17b8bd0b6fc058fe1d1f3834492230e1d86ba063d3f86d5adb2e7503389e94f258dd6813706e9955525e2c42a08316a817d11e |
C:\Users\Admin\AppData\Local\Temp\dz4qy75b.cmdline
| MD5 | 24291fa91b1442ba8e707c419c229309 |
| SHA1 | 04949395f15870801e1a4ad20c51b048e0e65a75 |
| SHA256 | 16cd6bb7317b00a8212aee1c87b28a9a8206317e81570c2e4256889413638e31 |
| SHA512 | 1420f704a53f35b2b0ee70db391809305d5d4db5faeba73d839b35b691fa0482f12b5e8bafee47494d892ba897550d8686e2f728426534feec6de5b00f3a7345 |
C:\Users\Admin\AppData\Local\Temp\dz4qy75b.0.vb
| MD5 | cbdf61e7858f1274d58258756e185765 |
| SHA1 | 15f0d177b5924a5176ff82f0b79bfa3db558145c |
| SHA256 | d0aa53536d1316c420848db8bb089b24f9669f1baf3be092a7e0f0a0bc1b997d |
| SHA512 | ab21cbb170e38a2600db2587ce92b74499107e361d55bbcd5e6281568307ffb1c087aba905c042e2e8960e2e554c84057a197dc4c03121b682868def94c5a038 |
C:\Users\Admin\AppData\Local\Temp\vbc1DFC.tmp
| MD5 | 453916f7e3952d736a473b0e2eea5430 |
| SHA1 | b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b |
| SHA256 | b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe |
| SHA512 | 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f |
C:\Users\Admin\AppData\Local\Temp\RES1DFD.tmp
| MD5 | 0b0ddb975c91fa840df4fcfa66e17809 |
| SHA1 | d34d813a0544b887bd9456ea73cad1d53ae07193 |
| SHA256 | 73c40f8e7aee9e5af1c6e755b6030a05adff60b0d983b9ba310f81478aeb41f8 |
| SHA512 | 770b0134298e541fa97465db68f135bfafb7606b548428c0fa67a2e9d39320bde56ca076289fdd57a5dde213fb4eda76ce5d6c6477d83f8c91a404493cdc8bc7 |
C:\Users\Admin\AppData\Local\Temp\huun25pq.cmdline
| MD5 | 4a902e68f8c54dbb0fa02e659f234d9e |
| SHA1 | 72623ebe0fe64beba82e0c0732baa6bd24401f7b |
| SHA256 | 47ba000573e13f5d0f48fc865493b63e7a32fc822e7eaa4405b0fafbb620642d |
| SHA512 | 4d86ce113d2afc832edbeb9bd5c20b4df759867ae952b34b98d06da2a72fd1ea14725db1d557f611490f4901f5c7cadae7187a531aed54e0d3444932509666ec |
C:\Users\Admin\AppData\Local\Temp\huun25pq.0.vb
| MD5 | d8ec3923c7b4bf7ae4ba2dd32ba5174f |
| SHA1 | bd232f852b5428b0360c9708604793deb513c36e |
| SHA256 | 316f5f33d99324745cbdad4dfe3ece93321e270a177f3646d78d72d1f7a1d648 |
| SHA512 | 062694e7951b534e5c93d4d2e65c65cc59b9be7f3f1e469b1679d61e03f1770246222009461c6e2a8ddfe41fa367ed6ebd83f53e0a1c3f24db5e97932558ce11 |
C:\Users\Admin\AppData\Local\Temp\RES1E6A.tmp
| MD5 | 5c4bf333360cdbaf982e01825ce660a2 |
| SHA1 | 251885e3effc446da630b1dc02ec290e04b1261d |
| SHA256 | db2c46faacbf4aceb8d9c011cd881f5e6968e0743c734e7f2b1e2d5771a5f55c |
| SHA512 | 3d6173ceba90a1a0a70b8e172d1fe9b817f0db72507c5c3ee1d590bcffce134439f4380a86f07bf11498a0d7a4bd3a2dfcd6785e5e4844a112c663fe1b6ba806 |
C:\Users\Admin\AppData\Local\Temp\vbc1E69.tmp
| MD5 | 6ed26221ebae0c285cdced27b4e4dbac |
| SHA1 | 452e9440a9c5b47a4f54aefdde36c08592e17a38 |
| SHA256 | aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c |
| SHA512 | c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce |
C:\Users\Admin\AppData\Local\Temp\02sv4ljr.cmdline
| MD5 | d416108a444d7dc395062cbbca54bc31 |
| SHA1 | 407ee3e819d30b042f902968a0d88f69e5c4d4da |
| SHA256 | 246cc128799350ab8375af4c6c6ba765fd37d35bc93bc5cdf89bc2c18b480bd3 |
| SHA512 | 30ea4fc4232276628774f456e2fd157a8d2b979969b0932ff5c2b1ba252773f2f3e4f657f229d8f6770b62bfd063ff09c8252b86be432cf5d10419f7841bf61d |
C:\Users\Admin\AppData\Local\Temp\02sv4ljr.0.vb
| MD5 | ac972015bef75b540eb33503d6e28cc2 |
| SHA1 | 5c1d09fcf4c719711532dcfd0544dfc6f2b90260 |
| SHA256 | fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7 |
| SHA512 | 36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83 |
C:\Users\Admin\AppData\Local\Temp\RES1EB8.tmp
| MD5 | 379d88d84f1cadf1a154d3f3e098c8e3 |
| SHA1 | ddcd9cb069acf4f7d5acf63b43b11608acdc2e4b |
| SHA256 | d03cf0cc9656b7b2417d2af434505501b74464cbcea8ebe5f7c0cb8a22f0abb5 |
| SHA512 | c63ca98c44e71616cd0cb9b4d9d8b00bf3844046bd55ff0b7c86345786533aa701d30255abe66880d131815cde7e9033100d4ee1c04402046776795d9a385356 |
C:\Users\Admin\AppData\Local\Temp\ikbccq7n.cmdline
| MD5 | 5244518257769ded9f8206f2581abd61 |
| SHA1 | 229228ba0b888752d55cf13c436dd2ebddcb96e3 |
| SHA256 | 3e9a42d9052fec0bba40bef1ee2716ea144585c8cf66967a5ddd42c2305998f0 |
| SHA512 | ea7e59e8ffbaefe467ab4f3bcac54449063f2780497799be5472a65208b08f94ff88bd24e4dc7386d0a2e7c0e107311d75adc4e4e0d80db7bb8bcf50ff4e6815 |
C:\Users\Admin\AppData\Local\Temp\ikbccq7n.0.vb
| MD5 | ce1182df38f7b4c7a89d1e4d1886b0d8 |
| SHA1 | ba5cdc6e13b761912d14ec042639566eebc23eca |
| SHA256 | e87616f590de6878e0a1051e52bb968d39bad4c7b086cdaecc064c6aa9582e3a |
| SHA512 | 7be8358cbcefde4b1e1a28480eaea0daf5bbbd25aba3d1bd8c589bad3adb63a90551830efabc6e0d2b01a406e41e44c5797502abc88566694fbff7c2091e05a0 |
C:\Users\Admin\AppData\Local\Temp\vbc1EE6.tmp
| MD5 | b548259248343e12d417d6c938cf8968 |
| SHA1 | 19703c388a51a7ff81a3deb6a665212be2e6589a |
| SHA256 | ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366 |
| SHA512 | 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81 |
C:\Users\Admin\AppData\Local\Temp\RES1EE7.tmp
| MD5 | 1d3e865644c83b69803a2d6d9b329743 |
| SHA1 | 9c2aa76fbd546afe20a35f9ccfcb3fece0b4958f |
| SHA256 | 4c3eb0a0b6f473dd4f7e0a83425d0925ab0f3c1a47a003da4ef3fea02dd5be12 |
| SHA512 | a87844ddce09271635abc2593ace8d0f8dc4ad9565cccdaf5779c09fd5533e988a5b6cbab25f7aef9478ff11c47ef9a44e4dca7112f15ca7ba52f22e4e0cfa3c |
C:\Users\Admin\AppData\Local\Temp\elb-jps5.cmdline
| MD5 | cb2c2c60c82688e18bdb7a8ed145f089 |
| SHA1 | 8c29b373d1445f23c7ed463c78f609fcec7f2b03 |
| SHA256 | 4d63a7f91785a16b6348ca127691d3676220702b73626a36a0e44483433872d6 |
| SHA512 | e4294b803a7723c51b4392a41c0526bc4b8d9bf649e25c5d0936b4930b2250c6b7e7177599a36273861028142a6db4f64a9b7eb42ff8fae1d7597f7974e0471b |
C:\Users\Admin\AppData\Local\Temp\elb-jps5.0.vb
| MD5 | b19384e98248a2c238e2360d2fecf049 |
| SHA1 | 25f5ab6303d0a81f4ef3cc44c0bb53dd3e564fad |
| SHA256 | 296feb4019e37af5174b813d3ac19fa1b17c4db9ad91b06eba610939983e3262 |
| SHA512 | e9e4dd4a302d643fd1d0dd46d058ca7a45c8e6d8b299c129e1a412d1d3309cfe4d4da6f9d893460dde7e96c40414d65e02dbab9c1411dd945581e749ae8438e4 |
C:\Users\Admin\AppData\Local\Temp\vbc1F34.tmp
| MD5 | ba2c43095c1c82b8024e968d16bee036 |
| SHA1 | 41ea006dbc9f0f6e80941d7547a980a1dde868e0 |
| SHA256 | 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72 |
| SHA512 | 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61 |
C:\Users\Admin\AppData\Local\Temp\RES1F35.tmp
| MD5 | 59a9468f73b326c60ea1e848d644a479 |
| SHA1 | a989aaba83433980b58fe960715918ba94d5a433 |
| SHA256 | 2cc6b7e47207894f4dae4e6e2890e0129d165e66f187116df6275ff080f2c50f |
| SHA512 | 974feef84afae076edf2922a4a7801f0fd47e502d4b7ba4736eeed9f463aeffdd5f86d920576e7eff7e40b066889b867f7cc5ce91930ae32bccdc4062d1e085a |
C:\Users\Admin\AppData\Local\Temp\ja1kvhb_.cmdline
| MD5 | 4cf0f2fd2275083b47765df245f3832d |
| SHA1 | 2ba24c91ec5cb60da4a30bf4a66a1a2f1fd355ef |
| SHA256 | 059a81f5a1794192db9b9ff0d5c522a6351384573ec71681d79095c7c7d5d740 |
| SHA512 | 74a5997b7decd30fc08e67c0648c34671957ec512577abe363e2b9f3ac74fc318cc33a4ad7a18d38182641824ba97e801ab6c19bea4c6d0287d7cfc9c5ab5e49 |
C:\Users\Admin\AppData\Local\Temp\ja1kvhb_.0.vb
| MD5 | 5ce3977a153152978fa71f8aa96909e9 |
| SHA1 | 52af143c553c92afc257f0e0d556908eaa8919cb |
| SHA256 | e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed |
| SHA512 | eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77 |
C:\Users\Admin\AppData\Local\Temp\vbc1F63.tmp
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RES1F64.tmp
| MD5 | a232648ddefc65545dd2067e2d77bad2 |
| SHA1 | 35b39568c79f0d443c48a9085fd474a36d6a5804 |
| SHA256 | e32284a99aa2f7b6ca30993c019d6480a640d1b0dd9aaf2b58501ed67ac6b9dd |
| SHA512 | 76ab11802be8f958c3f6b9b0cd87bb09672a6eb782864bd08ee5fb4b4548dd42534327860b31d784e499fec31bb4f54a407e561ba5ff5324333dc20d9a7e2cf1 |
C:\Users\Admin\AppData\Local\Temp\j7ab2nsa.cmdline
| MD5 | b3ee8d659d0682bbbfe400052697aec6 |
| SHA1 | f72fe05fdd48b41e51cb160f419d308cd2a556ca |
| SHA256 | b65c93dd3cf9a7b658b5df3167b043d9ca164794605c4aac533b6088b8dd0e8d |
| SHA512 | 9f425e7f0bd7d79b551308be939b9f0871fe8ce7eaad3190f93c11e3b177b9a387d0b8184b11893476f8e04604674d6916f958e590e5db1ce5a3ef0458537307 |
C:\Users\Admin\AppData\Local\Temp\j7ab2nsa.0.vb
| MD5 | 658573fde2bebc77c740da7ddaa4634b |
| SHA1 | 073da76c50b4033fcfdfb37ba6176afd77b0ea55 |
| SHA256 | c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607 |
| SHA512 | f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf |
C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp
| MD5 | 3f2e564b8e35a1cb260f192f97a021a6 |
| SHA1 | 9a59c9557f4b5db1c3fd5b014291982169d3bdfd |
| SHA256 | c6227aadaf76217f3f2f97164d4678f61ed79550e302685507cb5b424a2a6317 |
| SHA512 | 5692a0521131fe2f073bb1ea927be5ccf9da8d94d8d2aa968537484e3edbcd171e365713c13870201300d69bd1e24a359ca1022d9ca1101a3a222df8d674d08c |
C:\Users\Admin\AppData\Local\Temp\kqg1w0qa.cmdline
| MD5 | 5105976f97a498a85826d7f8b004f3b7 |
| SHA1 | 313e5242a866fc53c3b6c5ed284e4c2570926a9a |
| SHA256 | 90a23cc2469b38984cc157b5bafe3a1e971484ba2635f02b01a8b6ae2388555e |
| SHA512 | b1f7c0f92947a9003e554c936bb3eb054a107eb464e998ed281acc242ad3dba352f8915af6c260535eb9adb7d9169568699af55eac2e61035c003b1473f59c6e |
C:\Users\Admin\AppData\Local\Temp\kqg1w0qa.0.vb
| MD5 | 3c3d3136aa9f1b87290839a1d26ad07a |
| SHA1 | 005a23a138be5d7a98bdd4a6cc7fab8bdca962f4 |
| SHA256 | 5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd |
| SHA512 | fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60 |
C:\Users\Admin\AppData\Local\Temp\vbc1FD0.tmp
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RES1FD1.tmp
| MD5 | 10ddd123546b0d4b236c49bd307ebdf6 |
| SHA1 | 28dbccc9bd6708c93e65950cb9a588fbd7a2edba |
| SHA256 | 027ff4a404883312d2e232c213c2e1daf5809dfa08a66cc9b6df47c7b5e5a451 |
| SHA512 | 94049568833ab37b5fc3e6a2c7312e962a0c5e24db3af757371d02d743b5e4623732cd73d79a921406b702e553e89069359ba78ec605c1e3a79581a031a20d7d |
Analysis: behavioral30
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:28
Platform
win10v2004-20250217-en
Max time kernel
891s
Max time network
902s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe | C:\Windows\system32\MSSCS.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe | C:\Windows\system32\MSSCS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\MSSCS.exe | N/A |
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\MSSCS.exe | C:\Windows\system32\MSSCS.exe | N/A |
| File created | C:\Windows\system32\MSSCS.exe | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| File opened for modification | C:\Windows\system32\MSSCS.exe | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| File opened for modification | C:\Windows\system32\MSSCS.exe | C:\Windows\system32\MSSCS.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\MSSCS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
C:\Windows\system32\MSSCS.exe
"C:\Windows\system32\MSSCS.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d45tblyi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58289979637402288B1F0CCCE66D1DC.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD145.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF621CAA2B33470FB3B57FC42FCC87D6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\60hzbpou.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58D29D55571D4A2193FDA87BF3F0F24E.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6m9eucwm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD23F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc608CA19C9AB446DD94A6B0DCE0556545.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqttvssn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD28D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58FBF17C97F1499188AB1EC6B94BDCCF.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A48741B10446D782FF1746181A314.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf27lfmd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD349.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9600544A83A44A5E96BAF833C8E7BDCA.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ogl20x_2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42D25989140746BE96F1EB916342D6.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xznvdrqp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA05122444C9F470BAFD144A4D8B21BD.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD452.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192D64FDAAFB4632ABF84EE644C7D75C.TMP"
Network
| Country | Destination | Domain | Proto |
| PT | 84.91.119.105:333 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp | |
| PT | 84.91.119.105:333 | tcp |
Files
memory/3340-0-0x00007FFA53D35000-0x00007FFA53D36000-memory.dmp
memory/3340-1-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3340-2-0x000000001BB00000-0x000000001BFCE000-memory.dmp
memory/3340-3-0x000000001B570000-0x000000001B616000-memory.dmp
memory/3340-4-0x000000001C0D0000-0x000000001C132000-memory.dmp
memory/3340-5-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3340-6-0x000000001C960000-0x000000001C9FC000-memory.dmp
memory/3340-7-0x00007FFA53D35000-0x00007FFA53D36000-memory.dmp
memory/3340-8-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
C:\Windows\System32\MSSCS.exe
| MD5 | 6fe3fb85216045fdf8186429c27458a7 |
| SHA1 | ef2c68d0b3edf3def5d90f1525fe87c2142e5710 |
| SHA256 | 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550 |
| SHA512 | d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c |
memory/3820-17-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3820-18-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3820-20-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3340-21-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/3820-22-0x00007FFA53A80000-0x00007FFA54421000-memory.dmp
memory/4772-31-0x000001FE7AAA0000-0x000001FE7AAC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1exozrn.vxb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\d45tblyi.cmdline
| MD5 | aacf28d35183dab1745584fd673aa685 |
| SHA1 | cd11d192497b05cfde6c4378efcd933529999d04 |
| SHA256 | 665fac7c8ed07ef1b550e905eb60d82c86b9a83ede24f0c1458b2466eb364349 |
| SHA512 | 5ff5e4c21e05cfdadae46bc26fdb62779e2a4dee237a2f26c0a240410c67ba5636c96d880fdf2424374169534efd1e343d145fb2fd4a508d57fde589b8e08f9c |
C:\Users\Admin\AppData\Local\Temp\d45tblyi.0.vb
| MD5 | 076803692ac8c38d8ee02672a9d49778 |
| SHA1 | 45d2287f33f3358661c3d6a884d2a526fc6a0a46 |
| SHA256 | 5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3 |
| SHA512 | cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d |
C:\Users\Admin\AppData\Local\Temp\vbc58289979637402288B1F0CCCE66D1DC.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Temp\RESD08A.tmp
| MD5 | dbc223acbbbb31a3e14c391d7e607c51 |
| SHA1 | 732af6ec5671e3535c5e27629b73b5e3daf2f6bc |
| SHA256 | bd67a9576e02535b277ce4a61f1f8d8c5ad4dbf0178fce0b1c08869237cb92b3 |
| SHA512 | d61678c8d0dcb0db07bbd2bdf476b594c7f87bc1c7602fe69e929441f98a800378289dad32847cc3ce23f667e2bea67373892aee0ed55fb49321fd2894bee61f |
C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.cmdline
| MD5 | 62d919288d08a743e1aa1e5ecdaee700 |
| SHA1 | 23b83b47122d3559b5fa70c142890a3cbe0c09a5 |
| SHA256 | 95fd823ec8c27661277620551d548028328d22f2ebe4037fae66ed7daec6f031 |
| SHA512 | fc83e4eeda63edf4e8e076b379d7acdaaec62e6102ab995e857357586053218d416390053d3e448cdf5c96c156e4d3cc7f29773ddb698f0f36367a10bf5991c4 |
C:\Users\Admin\AppData\Local\Temp\ihfyhk2t.0.vb
| MD5 | 88cc385da858aaa7057b54eaeb0df718 |
| SHA1 | b108224d4686b5ca3faaeb1c728dfba8740a6eca |
| SHA256 | 08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020 |
| SHA512 | 4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7 |
C:\Users\Admin\AppData\Local\Temp\vbcDF621CAA2B33470FB3B57FC42FCC87D6.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\RESD145.tmp
| MD5 | 121692569b66a9f77e11e93d16c7b819 |
| SHA1 | 51d5946b70f5ebfc01a32a24e08197ce65b4e40b |
| SHA256 | 218f1db9e609fa59d0da77b60d6504b0cbffa371d6ade24a589448d6838aa885 |
| SHA512 | 36343e782ac71bd8a54f14e3a800652ac48da6eb305650cb6346508fe7888a56e365ac177b2bd2d2b668046c0cfda3017e18eb7a7b4ffba6f15d67c8e1560c98 |
C:\Users\Admin\AppData\Local\Temp\60hzbpou.cmdline
| MD5 | f8ed2f74ebbe673f856428bb65b53518 |
| SHA1 | 7daf4bb33263c89d70c13566adb82c88d41966b9 |
| SHA256 | fad89a3380fd01aac1280ad5f7f4b8883a3fcc0d310b5cd678de565cda74eafc |
| SHA512 | 48ea035b6e2daa2cdd8ad4ec2e2c7280f05c8691b6d05ed1fa3d7bf2a416e21e058a8f5907a6e66f0fea7ba326ed9b76e19659a7672dc2095988141ece6608c3 |
C:\Users\Admin\AppData\Local\Temp\60hzbpou.0.vb
| MD5 | d1110a95f1e40f726584bd99eca52fe7 |
| SHA1 | 97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3 |
| SHA256 | 00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142 |
| SHA512 | f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4 |
C:\Users\Admin\AppData\Local\Temp\vbc58D29D55571D4A2193FDA87BF3F0F24E.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\RESD1E1.tmp
| MD5 | de6dcee4af4dbabc8e2f8be5e47eb24f |
| SHA1 | 997d1a1874f6ada006f60a272dbb3dc0379d686d |
| SHA256 | 4025cc7fe1b9d8b039546bf972d79bc370e01e980862b491c9e68a6e4d2efc77 |
| SHA512 | 7414e5deb74b36df9e180aae85d962503318eafacd9c7931df9a76ead7f7d53198c1a5c650aec445473b024f6e663c3a45c981555760690d6ef25e01f8f773db |
C:\Users\Admin\AppData\Local\Temp\6m9eucwm.cmdline
| MD5 | cac0dbc290b2a09eb26ffb9068ddb271 |
| SHA1 | 5abf127e9b44c7a7c7ec5aca5f83af1272268106 |
| SHA256 | 25250080555661feff6c920ed3a13965a22a6c8931634add9d6742fc69f2d9ba |
| SHA512 | 44c80bbb8ca7402f270671575d758ff2bf9840216ddeba88d342d4f43d02112e1ba1dd401810b2e891504df40c040bc1a6d506abcfce99235647b55a91476b3d |
C:\Users\Admin\AppData\Local\Temp\6m9eucwm.0.vb
| MD5 | ac972015bef75b540eb33503d6e28cc2 |
| SHA1 | 5c1d09fcf4c719711532dcfd0544dfc6f2b90260 |
| SHA256 | fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7 |
| SHA512 | 36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83 |
C:\Users\Admin\AppData\Local\Temp\RESD23F.tmp
| MD5 | 73aabb0065a879595e7621fff481e2ab |
| SHA1 | f2610011357368afd87a30f3b754e8fedf9d0ac4 |
| SHA256 | 5900d122b28b0d6ddcb56314afa15ce02c98a3651fd141bc646fa7124954f157 |
| SHA512 | 217c1ee97d0495248144a0947b2bcb5e97777a8e617714979970e28d400f59806a38f49962c5214c7a8a2142e0b4592934a9c791ef1f5c8948ac59814929111b |
C:\Users\Admin\AppData\Local\Temp\cqttvssn.cmdline
| MD5 | 8befb89fae71f94795578f921746ae22 |
| SHA1 | dd1a447b10117352ded7323a844288a02425eafb |
| SHA256 | a352a4e02d72fecf90692476c160df28b57278855669e10bb5c971fedd8f042a |
| SHA512 | 3e8b0353fc4ced36e86dc8cf30c54d3affca3a213aa60694f37cee59615b20d1e73c8593dc73370476b5db721b8671fb9972ecb569e30a95630f876e65f9cc17 |
C:\Users\Admin\AppData\Local\Temp\cqttvssn.0.vb
| MD5 | 2b3aac520562a93ebef6a5905d4765c9 |
| SHA1 | 10ab45c5d73934b16fac5e30bf22f17d3e0810c8 |
| SHA256 | b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89 |
| SHA512 | 9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446 |
C:\Users\Admin\AppData\Local\Temp\RESD28D.tmp
| MD5 | 2beecd730b319d1f9255c3a057df00ca |
| SHA1 | 76a7953494edbb8d0a87018907ff881107c67464 |
| SHA256 | 1840fa87a93f0dfdad14bf2640e52a9520d9987eb6d2d2cfba8213803d7d71ac |
| SHA512 | 5904c80bf7076ffc75e3fc9dad343dbc84a6e00a451a35c9f56909951a3a351e4033faf1202d05db43cb56395235743385d782802c29d3f60a9d4ec61085ea89 |
C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.cmdline
| MD5 | 2e39cccf5e0b1b52deaf1f7483613e96 |
| SHA1 | e1d1301d3bb7469c3940bdea0a731a6b810f1c76 |
| SHA256 | 4af7f9b3fbfa0a456bf4248c385c625d0f8ffc6cbbec7b4fd6d001b70b161599 |
| SHA512 | f55b08954d8718fc82d9644e973238f84caf210868c2ead0b360dedb09c8e313337b72161bd6be0c96134f41955a5491e68a780a06a6952f3e50052815e63379 |
C:\Users\Admin\AppData\Local\Temp\3w1cgdwa.0.vb
| MD5 | 325f27ef75bebe8b3f80680add1943d3 |
| SHA1 | 1c48e211258f8887946afb063e9315b7609b4ee3 |
| SHA256 | 034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35 |
| SHA512 | e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804 |
C:\Users\Admin\AppData\Local\Temp\RESD2FB.tmp
| MD5 | fece1b1e5d87bc7f675ea9b6f056f7ec |
| SHA1 | fcd8a2031cbca8850386dfa238cc11fdf9fc4003 |
| SHA256 | 063de8a9f096dff69500df1d0e8b694192b5591c02a4374f1fc8aa3d0c9887e1 |
| SHA512 | ea1d81b44c7a0f559f184e6ca87462d9cdacded8693c4096040b1475ce73852631355f749fedd1efa0e601757e8f8c93937bcc1a62703f71de7efc1564259ae6 |
C:\Users\Admin\AppData\Local\Temp\xf27lfmd.cmdline
| MD5 | 208978695e9bdd9424b0cdfdbde76737 |
| SHA1 | b558d8e4d386b83857d032ab001f0522d9192d88 |
| SHA256 | d6f6d8e70e6ab96342443dc494041ca18b9626a3675a6e840429a9ef0e68ae14 |
| SHA512 | f97c7f88bfb66ae97f0cd3f6a127150ba5f51f4b6e3e56b2344c0dcfdc4015689b0561a128db469cc5ce093d78ab3fc74c7065fe2ba9f1e235f4f5b2fb7cf39d |
C:\Users\Admin\AppData\Local\Temp\xf27lfmd.0.vb
| MD5 | 539683c4ca4ee4dc46b412c5651f20f5 |
| SHA1 | 564f25837ce382f1534b088cf2ca1b8c4b078aed |
| SHA256 | ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e |
| SHA512 | df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac |
C:\Users\Admin\AppData\Local\Temp\vbc9600544A83A44A5E96BAF833C8E7BDCA.TMP
| MD5 | 8135713eeb0cf1521c80ad8f3e7aad22 |
| SHA1 | 1628969dc6256816b2ab9b1c0163fcff0971c154 |
| SHA256 | e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a |
| SHA512 | a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4 |
C:\Users\Admin\AppData\Local\Temp\RESD349.tmp
| MD5 | 8e46ddb9074c255605d743b3450ccccf |
| SHA1 | d1b6f80957f985a410ae29eb74942316e0999991 |
| SHA256 | cecf0cf0e63c03a9f1f7b96cc12f153e918c2f9ae845b42daf1eb8ee15974d4e |
| SHA512 | 3bd099e5c41b94c27fb443fa6680779f475cd1ff6d7cd2582168a58f89fcc16cbe9a315ea1793980074a4550537a8eb332fa5af05121906336171e8be7c63d7d |
C:\Users\Admin\AppData\Local\Temp\ogl20x_2.cmdline
| MD5 | 4a4d9ff9fb114a6cf402d210d4fb8ee2 |
| SHA1 | 9368085f04962becc7bf320af00b5a96994008bc |
| SHA256 | dedbe1b3f9acbefc4b691544b7ff2568cb6110302aa1632a7fc06db83e425d73 |
| SHA512 | 463b1bd275418bbdc5f8c3f0148876e13e3d2c361013e4e1e031ce4e9bbcfbc7488ead43b9b3a1b7ff848ff634579ab2fb3c00e85cdf25d558a86f84b46d43b1 |
C:\Users\Admin\AppData\Local\Temp\ogl20x_2.0.vb
| MD5 | 5ce3977a153152978fa71f8aa96909e9 |
| SHA1 | 52af143c553c92afc257f0e0d556908eaa8919cb |
| SHA256 | e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed |
| SHA512 | eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77 |
C:\Users\Admin\AppData\Local\Temp\RESD3A7.tmp
| MD5 | 3f2b567c94d0de28c9d7b674782e9153 |
| SHA1 | 18a5e22626aa38af05d8bd729a31020b7a2e5cbe |
| SHA256 | 0b67af46c8a5396a579cc8a5b9ad851969ce3f19b58eccfdacf4beccdcc46e6a |
| SHA512 | ef4c4a3ba91621fa32fcfd61796efbbe0c95b1fac93ba7828d2107ffd4591d18ca1b3d8762acc3a769aa7a377508cdfe28a4d16580ebd0bd274a7fe493ac9b0d |
C:\Users\Admin\AppData\Local\Temp\xznvdrqp.cmdline
| MD5 | 330f184476cfa722b401d0b9fd369e0d |
| SHA1 | 139bb3e2f3b79a39bd54fbf235c6d6375cd23aa7 |
| SHA256 | 0eb67a8636ea6c280b58c1c327c5d85ad9d17fcc4e5ba8906d742aaa337b9ac0 |
| SHA512 | 86c84aa1473dfcd3cc40d4ac0157c18e01cfd5815c56da25c8aaffba300f0b55af99a3e739465de865c1250b81f132e6716365258256bdd115451493bdb1ab84 |
C:\Users\Admin\AppData\Local\Temp\xznvdrqp.0.vb
| MD5 | 658573fde2bebc77c740da7ddaa4634b |
| SHA1 | 073da76c50b4033fcfdfb37ba6176afd77b0ea55 |
| SHA256 | c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607 |
| SHA512 | f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf |
C:\Users\Admin\AppData\Local\Temp\RESD3F5.tmp
| MD5 | 0a6f59e04de6bde0e7926e0ebcf213be |
| SHA1 | 650b76019ced87a1ec396c03762758ed0a60ff9f |
| SHA256 | 596986c4e74116aea75985caed90404f2991ad47dbddf28be1e4ac2e0f2e1548 |
| SHA512 | 3830e26420d526a640b8d64fc491d5ba537ce8f9ccbf32bf768b2d884d78a29846d245ba991a2c95ecf3c4e7eae860798b531ebdd5899f5640a971273ab9ed19 |
C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.cmdline
| MD5 | cee891761a3f56a85bab01f1c4b49fa8 |
| SHA1 | 11e2b7ba7ec1805ad35a6a9b81161456f3c2e6fe |
| SHA256 | fc65d0db3c82b1c6f1b1a8293638b8d5bc4c16ad41eec0cd0d5e4247623c24f5 |
| SHA512 | 0255558312f27d6d7d0c87c04a8a56bd504693b8ee1fdb220e35818669f0f55bb007f1cc9a7d73639c352de1a58f1de1478968adaab8ab6e7eee317c234a67ec |
C:\Users\Admin\AppData\Local\Temp\d_i_xbn3.0.vb
| MD5 | 3c3d3136aa9f1b87290839a1d26ad07a |
| SHA1 | 005a23a138be5d7a98bdd4a6cc7fab8bdca962f4 |
| SHA256 | 5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd |
| SHA512 | fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60 |
C:\Users\Admin\AppData\Local\Temp\vbc192D64FDAAFB4632ABF84EE644C7D75C.TMP
| MD5 | 7a707b422baa7ca0bc8883cbe68961e7 |
| SHA1 | addf3158670a318c3e8e6fdd6d560244b9e8860e |
| SHA256 | 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c |
| SHA512 | 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9 |
C:\Users\Admin\AppData\Local\Temp\RESD452.tmp
| MD5 | f5e0c9780e65668fd217a2525deb7c12 |
| SHA1 | 24dedbe15943a1691533e31dab22b251829f3b49 |
| SHA256 | 1fedf97f029c272de9864f0ee651346ba5e5fd7ff44d816c25d3b0e444edde46 |
| SHA512 | ab9189aef3d64d41114c97bfd38ff6671eff4b9dd8581419c641c0f4afe37fb69b58dd62352323719778bdaf5d1005fcf0125325d006ed8fee2d2ac9a5bb4bec |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:03
Platform
win7-20250207-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\241105-dtxrgatbpg_pw_infected.zip
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win7-20240903-en
Max time kernel
835s
Max time network
839s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1728 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1728 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1728 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1212
Network
| Country | Destination | Domain | Proto |
| RU | 217.8.117.77:80 | tcp |
Files
memory/1728-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp
memory/1728-1-0x0000000001340000-0x00000000013A0000-memory.dmp
memory/1728-2-0x0000000074E50000-0x000000007553E000-memory.dmp
memory/1728-3-0x0000000000920000-0x000000000093C000-memory.dmp
memory/1728-4-0x0000000074E5E000-0x0000000074E5F000-memory.dmp
memory/1728-5-0x0000000074E50000-0x000000007553E000-memory.dmp
memory/1728-6-0x0000000005B20000-0x0000000005B6C000-memory.dmp
memory/1728-7-0x0000000074E50000-0x000000007553E000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:03
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
SmokeLoader
Smokeloader family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe
"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe
"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"
Network
Files
memory/2748-5-0x0000000000020000-0x000000000002B000-memory.dmp
memory/2748-4-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/2964-3-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2964-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2964-6-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\D47F.tmp
| MD5 | d124f55b9393c976963407dff51ffa79 |
| SHA1 | 2c7bbedd79791bfb866898c85b504186db610b5d |
| SHA256 | ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef |
| SHA512 | 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06 |
memory/2964-12-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2748-13-0x0000000000980000-0x0000000000A80000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:20
Platform
win7-20240729-en
Max time kernel
840s
Max time network
845s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\6306868794.bin.zip
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:25
Platform
win7-20240903-en
Max time kernel
844s
Max time network
848s
Command Line
Signatures
Disables service(s)
Hakbit
Hakbit family
Credentials from Password Stores: Windows Credential Manager
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Reads user/profile data of web browsers
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Kills process with taskkill
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
C:\Windows\system32\cmd.exe
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
C:\Windows\system32\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=524288 “%s”
Network
Files
memory/2752-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp
memory/2752-1-0x0000000000FF0000-0x000000000100A000-memory.dmp
memory/2752-3-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
memory/1616-8-0x000000001B660000-0x000000001B942000-memory.dmp
memory/1616-9-0x0000000001BF0000-0x0000000001BF8000-memory.dmp
C:\Users\Admin\Desktop\FormatDebug.xlsx.energy[[email protected]]
| MD5 | 18897568bb6c5866165c47473aac0313 |
| SHA1 | af9c282daa354192fad28abbd35eae5ef18a049e |
| SHA256 | 686ebaa77a90237011299bca56021ea4b06977ac982d15347fb49b7b009a71d1 |
| SHA512 | 499386b9f67ca442c8ce11398cc32fed28ec539b1a4086c8d870b080d8e8c33a486d0b86f59b8376bb7917a5e239a042b6e698e4cfabb3032daa91246e291761 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c626d08fe7775a02bffdd3714138a163 |
| SHA1 | 3e59d63ef6dc58dab203ba76c981f31c243dadd3 |
| SHA256 | dfda1818b68f51e1db00af058a68ba09781d3a7887fd0c0066dbb59ebe758469 |
| SHA512 | 1c4a84cc16860e8d4807670f3b39b11689fb63b85bed3950decfd1c6eb4bbd1a2f4a49b70c4b97f20e735eb9a365e4c0fae021f444f4baec61716db6f639d3fa |
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
| MD5 | fd6e24853f43129d1d3f9b2f0985ca00 |
| SHA1 | b2718000dc7388f9a5d59470215d880e5c21bdc5 |
| SHA256 | 84a243db7b670ab50757b48c5833e7e43421fd17aa44c498fd220b58edb30736 |
| SHA512 | 8ace895708c2f223c2b41660309c8038782d87bbdb282939a95ddff5fbfb27b60b526afa0619111ee9db9d22e448859efb791f8c4b65e541e83216a6f72a7aca |
memory/2752-378-0x000007FEF6623000-0x000007FEF6624000-memory.dmp
memory/2752-402-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]
| MD5 | 74977a55e72f5645c699dae9373f7dc2 |
| SHA1 | 04d7792dbe1db03343957f19f5ad79e9e779d26c |
| SHA256 | 4c81b0d662aa6d284400c5c3ab64e18bf6bf544f7c92c2199113b5d39c778154 |
| SHA512 | 13ad62858bc270aa83b2c409bc368e4bc23e8e197e1412100741c6e5b2744dff8502776dd9931883516769d69dde9ba5292652c499296a09fb77c11a8a85bb0f |
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
| MD5 | 65b03ba5a3b9ce556d6e037abfeb7836 |
| SHA1 | 2c3398b947a128eda02cfe2462b02984cfb4eede |
| SHA256 | b56798dcb1438ba3ddc9d470797e00663159463bd0a524e6c1f77372c3b13a07 |
| SHA512 | 09d38da880b55dbdf0b32bb789a5d748b8e60d8257402abc730356abd35c66b10c39541ced431b42fb39878a57be5ccccb5a6800893a14fdfb01aabc2d772715 |
memory/2752-584-0x000007FEF6620000-0x000007FEF700C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:18
Platform
win7-20240903-en
Max time kernel
4s
Max time network
903s
Command Line
Signatures
AgentTesla
Agenttesla family
Danabot
Danabot family
Dharma
Dharma family
Formbook
Formbook family
Gozi
Gozi family
Qakbot family
Qakbot/Qbot
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16.exe = "C:\\Windows\\System32\\16.exe" | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\18.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\18.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\16.exe | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2588 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Users\Admin\AppData\Roaming\2.exe |
| PID 3012 set thread context of 1076 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\15.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\26.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\25.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\11.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\18.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\16.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\31.exe
"C:\Users\Admin\AppData\Local\Temp\31.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C487.tmp\C488.tmp\C489.bat C:\Users\Admin\AppData\Local\Temp\31.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\4.exe
C:\Users\Admin\AppData\Roaming\4.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\5.exe
C:\Users\Admin\AppData\Roaming\5.exe
C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\6.exe
C:\Users\Admin\AppData\Roaming\7.exe
C:\Users\Admin\AppData\Roaming\7.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Users\Admin\AppData\Roaming\8.exe
C:\Users\Admin\AppData\Roaming\8.exe
C:\Users\Admin\AppData\Roaming\9.exe
C:\Users\Admin\AppData\Roaming\9.exe
C:\Users\Admin\AppData\Roaming\10.exe
C:\Users\Admin\AppData\Roaming\10.exe
C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\11.exe
C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\12.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\14.exe
C:\Users\Admin\AppData\Roaming\14.exe
C:\Users\Admin\AppData\Roaming\15.exe
C:\Users\Admin\AppData\Roaming\15.exe
C:\Users\Admin\AppData\Roaming\16.exe
C:\Users\Admin\AppData\Roaming\16.exe
C:\Users\Admin\AppData\Roaming\17.exe
C:\Users\Admin\AppData\Roaming\17.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\AppData\Roaming\18.exe
C:\Users\Admin\AppData\Roaming\18.exe
C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\19.exe
C:\Users\Admin\AppData\Roaming\20.exe
C:\Users\Admin\AppData\Roaming\20.exe
C:\Users\Admin\AppData\Roaming\21.exe
C:\Users\Admin\AppData\Roaming\21.exe
C:\Users\Admin\AppData\Roaming\22.exe
C:\Users\Admin\AppData\Roaming\22.exe
C:\Users\Admin\AppData\Roaming\23.exe
C:\Users\Admin\AppData\Roaming\23.exe
C:\Users\Admin\AppData\Roaming\24.exe
C:\Users\Admin\AppData\Roaming\24.exe
C:\Users\Admin\AppData\Roaming\25.exe
C:\Users\Admin\AppData\Roaming\25.exe
C:\Users\Admin\AppData\Roaming\26.exe
C:\Users\Admin\AppData\Roaming\26.exe
C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\28.exe
C:\Users\Admin\AppData\Roaming\28.exe
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\29.exe
C:\Users\Admin\AppData\Roaming\29.exe
C:\Users\Admin\AppData\Roaming\30.exe
C:\Users\Admin\AppData\Roaming\30.exe
C:\Users\Admin\AppData\Roaming\31.exe
C:\Users\Admin\AppData\Roaming\31.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 480
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\18.exe"
C:\Users\Admin\AppData\Roaming\21.exe
"{path}"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Users\Admin\AppData\Roaming\21.exe
"{path}"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@2456
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\Admin\AppData\Roaming\24.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Roaming\27.exe
C:\Users\Admin\AppData\Roaming\27.exe /C
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@2396
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp361E.tmp"
C:\Users\Admin\AppData\Roaming\11.exe
"{path}"
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Users\Admin\AppData\Roaming\13.exe
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\11.exe"
C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55EE.tmp"
C:\Users\Admin\AppData\Roaming\feeed.exe
"C:\Users\Admin\AppData\Roaming\feeed.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55ED.tmp"
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
C:\Users\Admin\AppData\Roaming\9.exe
"{path}"
C:\Users\Admin\AppData\Roaming\26.exe
"{path}"
C:\Users\Admin\AppData\Roaming\Microsoft\Bhqevyhv\ivnvomxh.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Bhqevyhv\ivnvomxh.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zndmpdj /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I zndmpdj" /SC ONCE /Z /ST 06:07 /ET 06:19
C:\Users\Admin\AppData\Roaming\Microsoft\Bhqevyhv\ivnvomxh.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Bhqevyhv\ivnvomxh.exe /C
C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\taskeng.exe
taskeng.exe {0CD01310-6B27-4613-93A9-05A17B8F0679} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9348 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9348 CREDAT:3617797 /prefetch:2
C:\Windows\system32\taskeng.exe
taskeng.exe {77D542E8-483B-43FB-8B2D-0BE6D283C016} S-1-5-18:NT AUTHORITY\System:Service:
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | nodejs.org | udp |
| FR | 92.204.160.54:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 185.45.193.50:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.xtremefish.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.allnaturalcbdshampton.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.buynewcartab.live | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.wuxifanggang.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.worstig.com | udp |
| US | 8.8.8.8:53 | www.hoidonghuongkimson.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.platform35markethall.com | udp |
| NL | 45.153.186.47:443 | tcp | |
| US | 8.8.8.8:53 | www.myhealthfuldiet.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 93.115.21.29:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.hannan-football.com | udp |
| NL | 93.115.21.29:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.livinglifeawakened.com | udp |
| US | 8.8.8.8:53 | www.spillerakademi.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.conceptweaversindia.online | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.saltbgone.com | udp |
| US | 8.8.8.8:53 | www.honeygrandpa.com | udp |
| US | 8.8.8.8:53 | www.bihusomu40.win | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| NL | 185.45.193.50:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| NL | 2.56.213.179:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.eatatnobu.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.uppertenpiercings.amsterdam | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.serviciodomicilio.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.netcorrespondents.com | udp |
| NL | 45.153.186.47:443 | tcp | |
| US | 8.8.8.8:53 | www.xtremefish.com | udp |
| US | 8.8.8.8:53 | www.isnxwa.info | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| FR | 92.204.160.54:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.livetv247.win | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.yuhe89.com | udp |
| NL | 2.56.213.179:443 | tcp | |
| US | 8.8.8.8:53 | www.norjax.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.kuzey.site | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.broemail.com | udp |
| US | 8.8.8.8:53 | www.cocodrilodigital.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.cscycorp.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.phiscalp.com | udp |
| US | 8.8.8.8:53 | www.hebitaixin.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.21oms.us | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | www.history.fail | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.vllii.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.jasperrvservices.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.hotmobile-uk.com | udp |
| US | 8.8.8.8:53 | www.golphysi.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.akisanblog.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.walletcasebuy.com | udp |
| US | 8.8.8.8:53 | www.crazzysex.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.hamdimagdeco.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.langongzi.net | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | www.gteesrd.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.joomlas123.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.dtechconsultants.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.bayfrontbabyplace.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.wellnessitaly.store | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.zohariaz.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.realestatestructureddata.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.valuereceipt.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.pmtradehouse.com | udp |
| US | 8.8.8.8:53 | www.tesla-magnumopus.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.wuxifanggang.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.yngny.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.larozeimmo.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.theworldexams.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.182man.com | udp |
| US | 8.8.8.8:53 | www.cdpogo.net | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.allnaturalcbdshampton.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.ntdao.com | udp |
| US | 8.8.8.8:53 | www.wernerkrug.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.xsxnet.net | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.powerful-seldom.com | udp |
| US | 8.8.8.8:53 | www.feelgoodpainting.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.wuxifanggang.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | mail.pro-powersourcing.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.yuhe89.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.bespokewomensuits.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.hoidonghuongkimson.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.sw328.com | udp |
| US | 8.8.8.8:53 | www.manufacturehealth.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.myhealthfuldiet.com | udp |
| FR | 92.204.160.54:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.worstig.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.paklfz.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 96.227.122.123:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | www.livinglifeawakened.com | udp |
| FR | 92.204.160.54:443 | tcp | |
| US | 8.8.8.8:53 | www.ohchacyberphoto.com | udp |
| US | 96.227.122.123:443 | tcp | |
| US | 8.8.8.8:53 | www.bs3399.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| NL | 185.45.193.50:443 | tcp | |
| US | 8.8.8.8:53 | www.honeygrandpa.com | udp |
| US | 96.227.122.123:443 | tcp | |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.cdpogo.net | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.manufacturehealth.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | nodejs.org | udp |
| NL | 185.45.193.50:443 | tcp | |
| US | 96.227.122.123:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.uppertenpiercings.amsterdam | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.ketotoken.com | udp |
| US | 8.8.8.8:53 | www.archaicways.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.livetv247.win | udp |
| US | 72.204.242.138:443 | tcp | |
| US | 8.8.8.8:53 | www.matewhereareyou.net | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.conceptweaversindia.online | udp |
| US | 72.204.242.138:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| IR | 194.180.224.89:1234 | tcp | |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.cscycorp.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.xtremefish.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 72.204.242.138:443 | tcp | |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.garrettfitz.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.21oms.us | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 72.204.242.138:443 | tcp | |
| US | 8.8.8.8:53 | www.sw328.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | www.yngny.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.canliarkadas.net | udp |
| IR | 194.180.224.89:1234 | tcp | |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.yuhe89.com | udp |
| US | 72.179.242.236:80 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.worldaspect.win | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | www.discoveryoverload.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | www.teslaoceanic.info | udp |
| NL | 45.153.186.47:443 | tcp | |
| US | 72.179.242.236:80 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| NL | 93.115.21.29:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.bihusomu40.win | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 72.179.242.236:80 | tcp | |
| US | 8.8.8.8:53 | www.xtremefish.com | udp |
| US | 8.8.8.8:53 | www.jepekha.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| NL | 45.153.186.47:443 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 93.115.21.29:443 | tcp | |
| US | 8.8.8.8:53 | www.serviciodomicilio.com | udp |
| US | 72.179.242.236:80 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | www.cocodrilodigital.com | udp |
| US | 8.8.8.8:53 | www.jasperrvservices.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 93.115.21.29:443 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.isnxwa.info | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 98.116.62.242:443 | tcp | |
| US | 8.8.8.8:53 | www.hebitaixin.com | udp |
| US | 8.8.8.8:53 | mail.pro-powersourcing.com | udp |
| US | 8.8.8.8:53 | www.yabbanet.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 93.115.21.29:443 | tcp | |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.norjax.com | udp |
| US | 98.116.62.242:443 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | www.vllii.com | udp |
| US | 8.8.8.8:53 | www.akisanblog.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| NL | 193.34.166.247:443 | tcp | |
| IR | 194.180.224.89:1234 | tcp | |
| US | 98.116.62.242:443 | tcp | |
| NL | 185.45.193.50:443 | tcp | |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | www.buynewcartab.live | udp |
| US | 98.116.62.242:443 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.myhealthfuldiet.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| NL | 193.34.166.247:443 | tcp | |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | nodejs.org | udp |
| NL | 185.45.193.50:443 | tcp | |
| US | 8.8.8.8:53 | www.norjax.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.worstig.com | udp |
| US | 8.8.8.8:53 | www.hamdimagdeco.com | udp |
| CA | 104.221.4.11:2222 | tcp | |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| NL | 2.56.213.179:443 | tcp | |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.hotmobile-uk.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | nodejs.org | udp |
| CA | 104.221.4.11:2222 | tcp | |
| US | 8.8.8.8:53 | www.golphysi.com | udp |
| US | 8.8.8.8:53 | www.wxvbill.com | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| NL | 2.56.213.179:443 | tcp | |
| IR | 194.180.224.89:1234 | tcp | |
| CA | 104.221.4.11:2222 | tcp | |
| US | 8.8.8.8:53 | www.al208.com | udp |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.crazzysex.com | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 8.8.8.8:53 | sibelikinciel.xyz | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 8.8.8.8:53 | ffvgdsv.ug | udp |
| US | 8.8.8.8:53 | www.joomlas123.com | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| CA | 104.221.4.11:2222 | tcp | |
| NL | 193.34.166.247:443 | tcp | |
| US | 8.8.8.8:53 | www.jujiangxizang.com | udp |
| IR | 194.180.224.89:1234 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| NL | 45.153.186.47:443 | tcp | |
| US | 8.8.8.8:53 | www.gteesrd.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\C487.tmp\C488.tmp\C489.bat
| MD5 | ba36077af307d88636545bc8f585d208 |
| SHA1 | eafa5626810541319c01f14674199ab1f38c110c |
| SHA256 | bec099c24451b843d1b5331686d5f4a2beff7630d5cd88819446f288983bda10 |
| SHA512 | 933c2e5de3bc180db447e6864d7f0fa01e796d065fcd8f3d714086f49ec2f3ae8964c94695959beacf07d5785b569fd4365b7e999502d4afa060f4b833b68d80 |
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 715c838e413a37aa8df1ef490b586afd |
| SHA1 | 4aef3a0036f9d2290f7a6fa5306228abdbc9e6e1 |
| SHA256 | 4c21a70dbc6b9bc5e1ee1e7506ee205eecdb14cc45571423e6bcc86dbe4001e7 |
| SHA512 | af13c0efb1552bbfbb517e27ff70a00cba5c230e3d2e707bd28a9ccce40e0402793c4ecc32ba1418f19a3744b78b89e5c8709eae3ad5f883c474832c182de861 |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d2e2c65fc9098a1c6a4c00f9036aa095 |
| SHA1 | c61b31c7dbebdd57a216a03a3dc490a3ea9f5abd |
| SHA256 | 4d7421e6d0ac81e2292bcff52f7432639c4f434519db9cf2985b46a0069b2be8 |
| SHA512 | b5bd047ca4ee73965719669b29478a9d33665752e1dbe0f575a2da759b90819e64125675da749624b2d8c580707fd6a932685ab3962b5b88353981e857fe9793 |
C:\Users\Admin\AppData\Roaming\1.jar
| MD5 | a5d6701073dbe43510a41e667aaba464 |
| SHA1 | e3163114e4e9f85ffd41554ac07030ce84238d8c |
| SHA256 | 1d635c49289d43e71e2b10b10fbb9ea849a59eacedfdb035e25526043351831c |
| SHA512 | 52f711d102cb50fafefc2a9f2097660b950564ff8e9324471b9bd6b7355321d60152c78f74827b05b6332d140362bd2c638b8c9cdb961431ab5114e01851fbe4 |
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | ec7506c2b6460df44c18e61d39d5b1c0 |
| SHA1 | 7c3e46cd7c93f3d9d783888f04f1607f6e487783 |
| SHA256 | 4e36dc0d37ead94cbd7797668c3c240ddc00fbb45c18140d370c868915b8469d |
| SHA512 | cf16f6e5f90701a985f2a2b7ad782e6e1c05a7b6dc0e644f7bdd0350f717bb4c9e819a8e9f383da0324b92f354c74c11b2d5827be42e33f861c233f3baab687e |
C:\Users\Admin\AppData\Roaming\5.exe
| MD5 | 4fcc5db607dbd9e1afb6667ab040310e |
| SHA1 | 48af3f2d0755f0fa644fb4b7f9a1378e1d318ab9 |
| SHA256 | 6fb0eacc8a7abaa853b60c064b464d7e87b02ef33d52b0e9a928622f4e4f37c7 |
| SHA512 | a46ded4552febd7983e09069d26ab2885a8087a9d43904ad0fedcc94a5c65fe0124bbf0a7d3e7283cb3459883e53c95f07fa6724b45f3a9488b147de42221a26 |
C:\Users\Admin\AppData\Roaming\7.exe
| MD5 | 42d1caf715d4bd2ea1fade5dffb95682 |
| SHA1 | c26cff675630cbc11207056d4708666a9c80dab5 |
| SHA256 | 8ea389ee2875cc95c5cd2ca62ba8a515b15ab07d0dd7d85841884cbb2a1fceea |
| SHA512 | b21a0c4b19ffbafb3cac7fad299617ca5221e61cc8d0dca6d091d26c31338878b8d24fe98a52397e909aaad4385769aee863038f8c30663130718d577587527f |
C:\Users\Admin\AppData\Roaming\8.exe
| MD5 | dea5598aaf3e9dcc3073ba73d972ab17 |
| SHA1 | 51da8356e81c5acff3c876dffbf52195fe87d97f |
| SHA256 | 8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c |
| SHA512 | a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e |
memory/1128-112-0x0000000000440000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Roaming\9.exe
| MD5 | ea88f31d6cc55d8f7a9260245988dab6 |
| SHA1 | 9e725bae655c21772c10f2d64a5831b98f7d93dd |
| SHA256 | 33f77b1bca36469dd734af67950223a7b1babd62a25cb5f0848025f2a68b9447 |
| SHA512 | 5952c4540b1ae5f2db48aaae404e89fb477d233d9b67458dd5cecc2edfed711509d2e968e6af2dbb3bd2099c10a4556f7612fc0055df798e99f9850796a832ad |
memory/1948-122-0x0000000000D70000-0x0000000000E1C000-memory.dmp
memory/1076-109-0x00000000002E0000-0x00000000003E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\10.exe
| MD5 | 68f96da1fc809dccda4235955ca508b0 |
| SHA1 | f182543199600e029747abb84c4448ac4cafef82 |
| SHA256 | 34b63aa5d2cff68264891f11e8d6875a38ff28854e9723b1db9c154a5abe580c |
| SHA512 | 8512aa47d9d2062a8943239ab91a533ad0fa2757aac8dba53d240285069ddbbff8456df20c58e063661f7e245cb99ccbb49c6f9a81788d46072d5c8674da40f7 |
C:\Users\Admin\AppData\Roaming\6.exe
| MD5 | cf04c482d91c7174616fb8e83288065a |
| SHA1 | 6444eb10ec9092826d712c1efad73e74c2adae14 |
| SHA256 | 7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf |
| SHA512 | 3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6 |
memory/1592-124-0x0000000000C90000-0x0000000000D4E000-memory.dmp
memory/1948-126-0x0000000000410000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Roaming\11.exe
| MD5 | 9d4da0e623bb9bb818be455b4c5e97d8 |
| SHA1 | 9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0 |
| SHA256 | 091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8 |
| SHA512 | 6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37 |
C:\Users\Admin\AppData\Roaming\13.exe
| MD5 | 349f49be2b024c5f7232f77f3acd4ff6 |
| SHA1 | 515721802486abd76f29ee6ed5b4481579ab88e5 |
| SHA256 | 262d38348a745517600abe0719345c6d17c8705dd3b4d67e7a545a94b9388b60 |
| SHA512 | a6c9a96c7738f6408c28b1579009167136ce9d3d68deb4c02f57324d800bce284f5d63a9d589651e8ab37b2ac17bf94e9bd59c63aaa3b66f0891e55ba7d646a0 |
C:\Users\Admin\AppData\Roaming\12.exe
| MD5 | 192830b3974fa27116c067f019747b38 |
| SHA1 | 469fd8a31d9f82438ab37413dae81eb25d275804 |
| SHA256 | 116e5f36546b2ec14aba42ff69f2c9e18ecde3b64abb44797ac9efc6c6472bff |
| SHA512 | 74ebe5adb71c6669bc39fc9c8359cc6bc9bb1a77f5de8556a1730de23104fe95ec7a086c19f39706286b486314deafd7e043109414fd5ce0584f2fbbc6d0658a |
C:\Users\Admin\AppData\Roaming\15.exe
| MD5 | d43d9558d37cdac1690fdeec0af1b38d |
| SHA1 | 98e6dfdd79f43f0971c0eaa58f18bce0e8cbf555 |
| SHA256 | 501c921311164470ca8cb02e66146d8e3f36baa54bfc3ecb3a1a0ed3186ecbc5 |
| SHA512 | 9a357c1bbc153ddc017da08c691730a47ab0ff50834cdc69540ede093d17d432789586d8074a4a8816fb1928a511f2a899362bb03feab16ca231adfdc0004aca |
C:\Users\Admin\AppData\Roaming\17.exe
| MD5 | 15a05615d617394afc0231fc47444394 |
| SHA1 | d1253f7c5b10e7a46e084329c36f7692b41c6d59 |
| SHA256 | 596566f6cb70d55b1b0978a0fab4cffd5049559545fe7ee2fa3897ccbc46c013 |
| SHA512 | 6deea7c0c3795de7360b11fa04384e0956520a3a7bf5405d411b58487a35bba51eaca51c1e2dda910d4159c22179a9161d84da52193e376dfdf6bdfbe8e9f0f1 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
| MD5 | 56ba37144bd63d39f23d25dae471054e |
| SHA1 | 088e2aff607981dfe5249ce58121ceae0d1db577 |
| SHA256 | 307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3 |
| SHA512 | 6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0 |
C:\Users\Admin\AppData\Roaming\19.exe
| MD5 | ff96cd537ecded6e76c83b0da2a6d03c |
| SHA1 | ec05b49da2f8d74b95560602b39db3943de414cb |
| SHA256 | 7897571671717742304acde430e5959c09fd9c29fbbe808105f00a1f663927ac |
| SHA512 | 24a827fda9db76c030852ef2db73c6b75913c9ee55e130a3c9a7c6ff7aff0fb7192ff1c47cd266b91500a04657b2da61a5fc00e48e7fbc27a6cbc9b7d91daa4b |
C:\Users\Admin\AppData\Roaming\21.exe
| MD5 | 9a7f746e51775ca001efd6ecd6ca57ea |
| SHA1 | 7ea50de8dd8c82a7673b97bb7ccd665d98de2300 |
| SHA256 | c4c308629a06c9a4af93fbd747ed2421e2ff2460347352366e51b91d19737400 |
| SHA512 | 20cd6af47a92b396ae565e0a21d3acaa0d3a74bcdccc1506a55dea891da912b03256ba9900c2c089fe44d71210e3c100ba4601cf4d6c9b492a2ce0d323d4c57f |
C:\Users\Admin\AppData\Roaming\20.exe
| MD5 | ddcdc714bedffb59133570c3a2b7913f |
| SHA1 | d21953fa497a541f185ed87553a7c24ffc8a67ce |
| SHA256 | be3e6008dde30cb959b90a332a79931b889216a9483944dc5c0d958dec1b8e46 |
| SHA512 | a1d728751490c6cf21f9597c6df6f8db857c28d224b2d03e6d25ce8f17557accbd8ef2972369337b9d3305d5b9029001e5300825c23ce826884dcee55b37562c |
C:\Users\Admin\AppData\Roaming\18.exe
| MD5 | bf15960dd7174427df765fd9f9203521 |
| SHA1 | cb1de1df0c3b1a1cc70a28629ac51d67901b17aa |
| SHA256 | 9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da |
| SHA512 | 7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074 |
memory/2912-156-0x0000000001000000-0x000000000106E000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | 48e9df7a479e3fd63064ec66e2283a45 |
| SHA1 | a8dcce44de655a97a3448758b397a37d1f7db549 |
| SHA256 | c7d8c3c379dcc42fa796b07b6a9155826d39cbd2f264bc68d22a63b17c8ef7df |
| SHA512 | 6cc839f118cad9982ec998665b409dc297a8cff9b23ec2a9105d15cf58d9adbf46d0048dda76c8e1574f6288d901912b7de373920b68b53dbda43d6075611016 |
memory/2456-166-0x0000000003550000-0x00000000037C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\24.exe
| MD5 | 43728c30a355702a47c8189c08f84661 |
| SHA1 | 790873601f3d12522873f86ca1a87bf922f83205 |
| SHA256 | cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44 |
| SHA512 | b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e |
memory/860-179-0x0000000000020000-0x000000000002E000-memory.dmp
C:\Users\Admin\AppData\Roaming\28.exe
| MD5 | 2ef457653d8aeb241637c8358b39863f |
| SHA1 | 578ed06d6c32c44f69a2c2454f289fb0a5591f30 |
| SHA256 | dcffe599c886878ed4bed045140bd13d7bc9bd5085163ea00857aa09a93f4060 |
| SHA512 | 16f98c1d29b8cfaaf3003c5264ca6b4363764c351d5106919eaf2c3bfab26e0fb189dd0e0b82b4d294ba5f3fe535d71cd25c93c2bf9fd27d84c2dd0a2bc99b69 |
memory/860-177-0x0000000000020000-0x000000000002E000-memory.dmp
C:\Users\Admin\AppData\Roaming\27.exe
| MD5 | 3d2c6861b6d0899004f8abe7362f45b7 |
| SHA1 | 33855b9a9a52f9183788b169cc5d57e6ad9da994 |
| SHA256 | dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064 |
| SHA512 | 19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e |
C:\Users\Admin\AppData\Roaming\29.exe
| MD5 | 0009efe13eaf4dd3d091bc6e9ca7c1e7 |
| SHA1 | f2be84149784db1d1b7746afde07d781805bd35f |
| SHA256 | de30d86cff3d838162aa88112a946dfb3af84005dda6bbc70cee15e8dff70ba3 |
| SHA512 | cf96410d5a528b52d92c37fac77ff3a8326ad6c2b3bbe00b44d55c758c5521870b9149b2fe8f743e6e7d90259eab5b3d19ed253abb8bea7660530c9b9ea70405 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.id-DE3F4A2D.[[email protected]].BOMBO
| MD5 | b090dc027e2af3f6ddcdec5943f22a93 |
| SHA1 | dde0dd2a88d40db5ed06c324d9b832ded8c74b3d |
| SHA256 | 87ff2c87007c89e36a646fb650c34a3e8f6af642df9c81dac40b72bb2c654ce7 |
| SHA512 | e04d10b9ed94ff0451322257fa460345ac9f3329b805e0d337421f0541145c13fa21c25c97ab23104bdc50512e63d836daa5087a8980d23d5cdab596e7778485 |
memory/3012-175-0x0000000000460000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Roaming\26.exe
| MD5 | c3da5cb8e079024e6d554be1732c51cf |
| SHA1 | e8f4499366fe67c9ae6fd1f5acbf56a9b956d4c3 |
| SHA256 | d7479a2f9f080742d17077fb4ccfc24583fa7a35842ba505cd43ed266734ce1f |
| SHA512 | 2395e084aef01c2a3f18524ee2c860f21e785849ce588a6ac7f58b45b6f7ba6dd25c052c49cc41dd72b3ebb7d476d88787aa273af82afc6fe17eb9e0ad4d7043 |
memory/3012-176-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\30.exe
| MD5 | fc44b935b0188657684c40113f7ab81c |
| SHA1 | 76c4a1262eb49daa55a24aadd7e3a48f2c22abd2 |
| SHA256 | f5b2489109d68b6ac83b453b8df1c7e1e9ec2636e162efdbaab4d27c1ce2dd69 |
| SHA512 | 95cdf42503a546b8c3de9c1d0f0ffc5fca9955739591e011ec1dfd8b5c83492bc14261bbb042275f281cc12b59edb071e3dd72dad64c11481d118910a6052f9a |
C:\Users\Admin\AppData\Roaming\25.exe
| MD5 | 4bbcdf7f9deb1025ca56fa728d1fff48 |
| SHA1 | bdc80dfb759c221a850ac29664a27efd8d718a89 |
| SHA256 | d2c49ce7e49109214a98eaa2d39f0749c1e779bd139af1cadae55e1ccb55753b |
| SHA512 | ea78c4935864dcddbf6f0516e1d5c095c4814ac988ccc038d0dc11c1fab7127ded45ff35b12bad845422c20f45311101706f0ef14cb1d629277ae276a2535383 |
C:\Users\Admin\AppData\Roaming\31.exe
| MD5 | 4c4f3c4c8145b2bb3f79dc1a79f013a9 |
| SHA1 | 9b1d80f6f950d30d134537f16f1f24fb66a41543 |
| SHA256 | f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b |
| SHA512 | 7c842577871a8bdf80a3da9dad91dea92dce764c00c874c821cbe2998a0a9d9921f0efb28bd5465deef02a6a6fdcb682a75b25976d7fac421fad8bf39d1c6c37 |
memory/2624-265-0x0000000000400000-0x0000000002DF6000-memory.dmp
C:\Users\Admin\AppData\Roaming\23.exe
| MD5 | 0dca3348a8b579a1bfa93b4f5b25cddd |
| SHA1 | 1ee1bcfd80cd7713093f9c053ef2d8c2cd673cd7 |
| SHA256 | c430a15c1712a571b0cd3ed0e5dfeefa7e78865a91bdc12e66666cd37c0e9654 |
| SHA512 | f0a17a940dd1c956f2578ed852e94631a9762fdd825ed5160b3758e427e8efa2ff0bfc83f239976b1d2765fefc8f9182e41c2da8f5746b36d4b7d189cb14a1b8 |
C:\Users\Admin\AppData\Roaming\14.exe
| MD5 | 9acd34bcff86e2c01bf5e6675f013b17 |
| SHA1 | 59bc42d62fbd99dd0f17dec175ea6c2a168f217a |
| SHA256 | 384fef8417014b298dca5ae9e16226348bda61198065973537f4907ac2aa1a60 |
| SHA512 | 9de65becdfc9aaab9710651376684ee697015f3a8d3695a5664535d9dfc34f2343ce4209549cbf09080a0b527e78a253f19169d9c6eb6e4d4a03d1b31ded8933 |
memory/2356-514-0x0000000001200000-0x0000000001298000-memory.dmp
memory/2588-102-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/3012-100-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2356-603-0x0000000000BA0000-0x0000000000C02000-memory.dmp
memory/1592-604-0x00000000009F0000-0x00000000009F8000-memory.dmp
memory/1592-605-0x00000000043E0000-0x0000000004438000-memory.dmp
memory/1948-606-0x0000000000420000-0x0000000000428000-memory.dmp
memory/2912-609-0x0000000000790000-0x00000000007E2000-memory.dmp
memory/2912-610-0x0000000000D30000-0x0000000000D70000-memory.dmp
memory/2912-649-0x0000000000750000-0x000000000077D000-memory.dmp
memory/1948-1223-0x0000000000450000-0x0000000000458000-memory.dmp
memory/2908-1220-0x0000000000400000-0x0000000002DF6000-memory.dmp
memory/2356-1232-0x0000000000AC0000-0x0000000000B16000-memory.dmp
memory/1920-1959-0x0000000004AE0000-0x0000000004B38000-memory.dmp
memory/1920-1956-0x0000000000B30000-0x0000000000B9A000-memory.dmp
memory/848-2036-0x0000000000260000-0x00000000003E4000-memory.dmp
memory/848-2173-0x0000000000410000-0x0000000000416000-memory.dmp
memory/4700-2183-0x0000000000020000-0x000000000002E000-memory.dmp
memory/4700-2181-0x0000000000020000-0x000000000002E000-memory.dmp
memory/1948-2202-0x0000000000460000-0x0000000000468000-memory.dmp
memory/848-2206-0x000000000D780000-0x000000000D91A000-memory.dmp
memory/848-2358-0x0000000000740000-0x0000000000746000-memory.dmp
memory/1128-2532-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4272-2535-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4272-2539-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4272-2546-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1364-2534-0x0000000000400000-0x0000000002DE1000-memory.dmp
memory/2456-2574-0x0000000000400000-0x000000000300E000-memory.dmp
memory/2456-2531-0x0000000000400000-0x000000000300E000-memory.dmp
memory/4488-2581-0x0000000002280000-0x00000000024EB000-memory.dmp
memory/4272-2537-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4272-2545-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4272-2544-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4272-2543-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/4272-2541-0x0000000000400000-0x000000000044E000-memory.dmp
memory/892-3003-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/4460-3015-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3014-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3013-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3012-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/4460-3010-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3008-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3006-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4460-3004-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3432-3027-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3432-3026-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3432-3024-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3432-3020-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2704-4630-0x0000000000330000-0x0000000000331000-memory.dmp
memory/3808-11965-0x0000000000160000-0x000000000020C000-memory.dmp
memory/4944-12769-0x0000000000400000-0x0000000000452000-memory.dmp
memory/9360-12811-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1356-13582-0x0000000000400000-0x0000000000452000-memory.dmp
memory/5352-21288-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30SUS37JYXMYFA5MJ285.temp
| MD5 | eeb73d6b38b2a38d461144e1aa623110 |
| SHA1 | 0331d24a7178719403cec758006f9aad84457459 |
| SHA256 | 834f3c89a155d609b050ba4652645dfb6902c259298bd8a9682f7ecf8a8ab57a |
| SHA512 | f20d945b6216faede7242bb5ceaa2671785140cd210f98046bf541201e9831e14550267adbc72b33833090999cf1ceee3a1bbecd5d1b3e82cc3ded03e01b3baa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\dnserror[1]
| MD5 | 73c70b34b5f8f158d38a94b9d7766515 |
| SHA1 | e9eaa065bd6585a1b176e13615fd7e6ef96230a9 |
| SHA256 | 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4 |
| SHA512 | 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\NewErrorPageTemplate[1]
| MD5 | cdf81e591d9cbfb47a7f97a2bcdb70b9 |
| SHA1 | 8f12010dfaacdecad77b70a3e781c707cf328496 |
| SHA256 | 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd |
| SHA512 | 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
Analysis: behavioral24
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:20
Platform
win10v2004-20250217-en
Max time kernel
872s
Max time network
877s
Command Line
Signatures
Renames multiple (193) files with added filename extension
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f7b32dcf-d7db-44f8-b293-7384756f60a1\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe | N/A |
Drops desktop.ini file(s)
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1874072718-2205492803-118941907-1000\{7DAE3372-98FD-4433-8AAC-90B51EB6A07F} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3856 -ip 3856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1648
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1184 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2416 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4284 -ip 4284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1300
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2000 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3380 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3880 -ip 3880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2000 -ip 2000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3380 -ip 3380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1284
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4984 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1084 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3580 -ip 3580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1084 -ip 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1344
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2480 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1828 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 4088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3464 -ip 3464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | loot.ug | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
Files
memory/3856-0-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3856-2-0x0000000000670000-0x0000000000770000-memory.dmp
memory/3856-3-0x0000000000400000-0x0000000000476000-memory.dmp
memory/3856-4-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3856-6-0x0000000000670000-0x0000000000770000-memory.dmp
C:\Users\Admin\AppData\Local\f7b32dcf-d7db-44f8-b293-7384756f60a1\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
| MD5 | ead18f3a909685922d7213714ea9a183 |
| SHA1 | 1270bd7fd62acc00447b30f066bb23f4745869bf |
| SHA256 | 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18 |
| SHA512 | 6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91 |
memory/3856-10-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3856-11-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1184-13-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-14-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-16-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-17-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-18-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4284-20-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4284-21-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2416-23-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-24-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4284-25-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2416-30-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4284-31-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2104-32-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2104-34-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2416-35-0x0000000000400000-0x00000000004A9000-memory.dmp
C:\Users\Public\Documents\_readme.txt
| MD5 | d75064cfaac9c92f52aadf373dc7e463 |
| SHA1 | 36ea05181d9b037694929ec81f276f13c7d2655c |
| SHA256 | 163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508 |
| SHA512 | 43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1 |
C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
| MD5 | f782b09fd215d3d9bb898d61ea2e7a37 |
| SHA1 | a382348e9592bdf93dd10c49773b815a992fa7c7 |
| SHA256 | 7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694 |
| SHA512 | 9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606 |
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
| MD5 | c3c0fe1bf5f38a6c89cead208307b99c |
| SHA1 | df5d4f184c3124d4749c778084f35a2c00066b0b |
| SHA256 | f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf |
| SHA512 | 0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806 |
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
| MD5 | b2e47100abd58190e40c8b6f9f672a36 |
| SHA1 | a754a78021b16e63d9e606cacc6de4fcf6872628 |
| SHA256 | 889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128 |
| SHA512 | d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9 |
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
| MD5 | 078fdfc06d675c9476796f61e8d8b396 |
| SHA1 | 183e0f30aad003e5443fc282813f349ebd7bb1c8 |
| SHA256 | 71474bbf9ec8997bb0ec65853cb095b000f1cdd52aa3f53b486a994588a4b7f7 |
| SHA512 | ec1b7bb3993e7022b600557fb63f405cca68fa269ebf9cebb4c699c7e35ac3bdafac44c12b60b67c01987d499023a2b5cfea0bdb66684eff4d67546ec5952a68 |
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
| MD5 | 01bc6dc2e63ba4656e64f83debbc1f4e |
| SHA1 | 823cb85a326995b562bd02e26996a4a841795322 |
| SHA256 | b96e7138eee33474e5ec02c855673b56f78f0773d10fb962b7c9d015597db689 |
| SHA512 | 90f0a9df306c83c3c10cdc7cb03110bb75796b3462a3562743a5a4cf9366d85e157cdf7b60bf6458051a0deec9275ae30fc49d19f83aebaae01ec908b3335175 |
memory/4284-1045-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1184-1047-0x0000000000400000-0x00000000004A9000-memory.dmp
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun
| MD5 | 4e6518161cc338011531e6ec335401e2 |
| SHA1 | 6d221aae3781af873141e6bbc6790c7ffb20259e |
| SHA256 | a47f41aa7bcec0354731bea88367b16ea9010ff199298e613b6e3aee6744beca |
| SHA512 | 549c082c5d737f1b1ffcabea6b7f5c44d87efbc9864081afb02a10fa33ffb7c4a081956814e0ccbf9f0ed8a590c4ee9bad782ca49bd63ec9818a25e5b3af1382 |
C:\ProgramData\Microsoft\Windows\Caches\{515D1D2E-30B3-4E46-95D8-91A700101D15}.2.ver0x0000000000000001.db.kropun
| MD5 | 87441de3dfd89707017e8d778a8fe07a |
| SHA1 | f805de186c333a917f594d39605548ab9e9b89bc |
| SHA256 | 2b1577a68b6b18712cf25ce0f09a9a6d3ea973e6407da95fb7f041f1dd5e6a4e |
| SHA512 | 8ec2333bcdcbf57ee8212ec6fc23b2cb49740adcaa26d13d08e2fa702bf860529df1ae90d2501966ae012f8e93de5a6d6eebede0d6c55e8f94940bdc9c18a23b |
memory/2000-1052-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1053-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1054-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1056-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1057-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1068-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3380-1069-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3880-1071-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3880-1074-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2000-1075-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3380-1077-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3572-1078-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3572-1079-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3380-1080-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1083-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1085-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1086-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1087-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1089-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1090-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1084-1093-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/392-1094-0x0000000000400000-0x00000000004A9000-memory.dmp
C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db
| MD5 | 661c5f43049c7d971010c2d4bcda5bd8 |
| SHA1 | a282adce6c45f07b6d316bcff3d2081203da391e |
| SHA256 | 6a70cb8b488212ce9faeb5b9603c9f9d7c883285e4823325672dbe9fdabf8eba |
| SHA512 | 8731bef2115c4d5c92090ba102ebb1fac6109b4727ad05b94eadab57c99470ea0753697464a28eaa4b98cd35b339d843bd2e854d54554db849a115c273962be3 |
memory/4984-1099-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1084-1100-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/392-1103-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/392-1107-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/4984-1109-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3580-1113-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3580-1115-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1084-1117-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2480-1121-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1828-1130-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3640-1133-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3640-1137-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/2480-1139-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3464-1143-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/3464-1145-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1828-1148-0x0000000000400000-0x00000000004A9000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:24
Platform
win10v2004-20250217-en
Max time kernel
813s
Max time network
833s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\6306868794.bin.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:30
Platform
win7-20240903-en
Max time kernel
896s
Max time network
903s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | C:\Users\Admin\AppData\Roaming\Client.exe |
| PID 2060 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | C:\Users\Admin\AppData\Roaming\Client.exe |
| PID 2060 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | C:\Users\Admin\AppData\Roaming\Client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"
C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
Files
memory/2060-0-0x000007FEF601E000-0x000007FEF601F000-memory.dmp
memory/2060-1-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2060-2-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2060-3-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Client.exe
| MD5 | aa0a434f00c138ef445bf89493a6d731 |
| SHA1 | 2e798c079b179b736247cf20d1346657db9632c7 |
| SHA256 | 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654 |
| SHA512 | e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952 |
memory/2060-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2708-13-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2708-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2708-14-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2708-15-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:16
Platform
win7-20241010-en
Max time kernel
719s
Max time network
734s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win10v2004-20250217-en
Max time kernel
710s
Max time network
723s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1624
Network
| Country | Destination | Domain | Proto |
| RU | 217.8.117.77:80 | tcp |
Files
memory/856-0-0x000000007440E000-0x000000007440F000-memory.dmp
memory/856-1-0x0000000000DC0000-0x0000000000E20000-memory.dmp
memory/856-2-0x0000000005C30000-0x00000000061D4000-memory.dmp
memory/856-3-0x0000000005720000-0x00000000057B2000-memory.dmp
memory/856-4-0x0000000005710000-0x000000000571A000-memory.dmp
memory/856-5-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/856-6-0x00000000086B0000-0x0000000008BDC000-memory.dmp
memory/856-7-0x00000000082C0000-0x00000000082DC000-memory.dmp
memory/856-8-0x000000007440E000-0x000000007440F000-memory.dmp
memory/856-9-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/856-10-0x0000000006DB0000-0x0000000006DFC000-memory.dmp
memory/856-11-0x00000000084C0000-0x000000000855C000-memory.dmp
memory/856-12-0x0000000074400000-0x0000000074BB0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:30
Platform
win10v2004-20250217-en
Max time kernel
897s
Max time network
904s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2012 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | C:\Users\Admin\AppData\Roaming\Client.exe |
| PID 2012 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe | C:\Users\Admin\AppData\Roaming\Client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"
C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 150.171.27.10:443 | tcp | |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
| US | 8.8.8.8:53 | cocohack.dtdns.net | udp |
Files
memory/2012-0-0x00007FFB79755000-0x00007FFB79756000-memory.dmp
memory/2012-1-0x000000001B420000-0x000000001B8EE000-memory.dmp
memory/2012-3-0x000000001B9A0000-0x000000001BA46000-memory.dmp
memory/2012-2-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2012-4-0x000000001BB80000-0x000000001BBE2000-memory.dmp
memory/2012-5-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2012-6-0x00007FFB79755000-0x00007FFB79756000-memory.dmp
memory/2012-7-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Client.exe
| MD5 | aa0a434f00c138ef445bf89493a6d731 |
| SHA1 | 2e798c079b179b736247cf20d1346657db9632c7 |
| SHA256 | 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654 |
| SHA512 | e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952 |
memory/2432-17-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2432-19-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2012-18-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2432-20-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
memory/2432-21-0x00007FFB794A0000-0x00007FFB79E41000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:15
Platform
win10v2004-20250217-en
Max time kernel
688s
Max time network
702s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-02-26 05:50
Reported
2025-02-26 06:19
Platform
win10v2004-20250217-en
Max time kernel
661s
Max time network
674s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |