Malware Analysis Report

2024-11-15 08:41

Sample ID 220717-d6b1jaeda4
Target 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
SHA256 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
Tags
betabot backdoor botnet evasion persistence trojan xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9

Threat Level: Known bad

The file 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9 was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan xmrig miner upx

xmrig

BetaBot

Modifies firewall policy service

Modifies WinLogon for persistence

XMRig Miner payload

Executes dropped EXE

UPX packed file

Sets file execution options in registry

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Maps connected drives based on registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Checks processor information in registry

Modifies Internet Explorer Protected Mode Banner

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer Protected Mode

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-17 03:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-17 03:36

Reported

2022-07-17 04:25

Platform

win7-20220414-en

Max time kernel

175s

Max time network

187s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\733sces9a.exe C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\733sces9a.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "csunkxk.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\733sces9a.exe\"" C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Helper 2 = "C:\\ProgramData\\Google Helper 2\\733sces9a.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\733sces9a.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1220 set thread context of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 1744 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1744 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1744 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1744 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1744 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 1744 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 1744 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 1744 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 1220 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1244 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1296 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 884 wrote to memory of 1412 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 884 wrote to memory of 1412 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 884 wrote to memory of 2044 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 884 wrote to memory of 2044 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 884 wrote to memory of 968 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

"C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe"

C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

"C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe"

C:\Users\Admin\AppData\Roaming\googleup.exe

"C:\Users\Admin\AppData\Roaming\googleup.exe"

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f4

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Users\Admin\AppData\Roaming\googleup.exe

"C:\Users\Admin\AppData\Roaming\googleup.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.52.29:80 microsoft.com tcp
US 8.8.8.8:53 microsup.ru udp
US 8.8.8.8:53 90.135.195.69.in-addr.arpa udp
US 69.195.135.90:80 tcp
US 69.195.135.90:80 tcp

Files

memory/1744-54-0x0000000076451000-0x0000000076453000-memory.dmp

memory/1744-55-0x00000000748E1000-0x00000000748E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjB973.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

MD5 0cd8d6746093c2b02b18e0da737a12d4
SHA1 19ec4c49c3adedb152137254c35bafc8b64407c8
SHA256 800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512 d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e

memory/1412-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

MD5 0cd8d6746093c2b02b18e0da737a12d4
SHA1 19ec4c49c3adedb152137254c35bafc8b64407c8
SHA256 800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512 d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e

\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 d7ded77042b691a5c5db7d501a047b9d
SHA1 d4da48a37fbae8f9ae5a0dcf11120374395360d3
SHA256 85767ce14351b0da5fdc03219fa45548ac4d42901ca0aec399eee3043bea0932
SHA512 d26dda75a97539239ec9ad515b4c29738e23a93db411fdcdad7ccb7ee432f4e424085b8061876f6be7ea09f79b1fc93b733f6c5ede294b2ec58dadfb221981e4

memory/1220-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/2044-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

\Users\Admin\AppData\Local\Temp\nstCA25.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 780d14604d49e3c634200c523def8351
SHA1 e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256 844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512 a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

memory/2044-71-0x00000000747F1000-0x00000000747F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\mahonia.exe

MD5 f2d7e52b6f02da7e308e27681ba27b39
SHA1 b96aba9b3e867c22e29c72e083b14f1865a1c7ff
SHA256 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
SHA512 e8e015025b0574e78900c10eaac7d869fec223164181392b2d0683ae87d7a61d645bfed9a1439a586cacc70bb633f5a6d10b7e39b4c5801705bff580412c9623

\Users\Admin\AppData\Local\Temp\nseCC38.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/1412-74-0x00000000749A0000-0x0000000074A2F000-memory.dmp

memory/1412-75-0x0000000000100000-0x0000000000103000-memory.dmp

memory/1220-77-0x0000000000360000-0x0000000000370000-memory.dmp

\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ormolu.dat

MD5 483909440b46c664ba6038a008740901
SHA1 7ad5a1f895cb5b79838f3a65130242b441a47774
SHA256 4669de9e3c6e60e94071e8163e5f958f244b468e7809dae38679100a5e5382d7
SHA512 c3d5e5842ac07809135205a4a07e562760b70be2f41411352b1c8c9372079087cef1517886f9362df00e2e8706199fb3bcbedbdcb4d142532f2e03a4330baaab

\Users\Admin\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll

MD5 13249bc6aa781475cde4a1c90f95efd4
SHA1 0d8698befd283ca69d87ce44dad225ef792b06da
SHA256 3922a8c1b0f58b74fc3d89d7eec3fe5c5b0e8bda6b36491d2380431dd8e8284a
SHA512 aec8b793c4a1c9789af70fdaad3aa473a581585e8b76669d187cabe6c88363bacbed28200dd8f243f9dd50fc8fc27339f0e687341024d466a4d5078c28a768d2

memory/1636-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/544-90-0x00000000004015C6-mapping.dmp

memory/544-93-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-89-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-88-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-87-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-86-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-84-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-83-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-82-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-94-0x0000000000400000-0x0000000000435000-memory.dmp

memory/544-97-0x0000000000240000-0x00000000002A6000-memory.dmp

memory/544-101-0x0000000001DA0000-0x0000000001DAC000-memory.dmp

memory/544-100-0x00000000002C0000-0x00000000002CD000-memory.dmp

memory/544-99-0x0000000000240000-0x00000000002A6000-memory.dmp

memory/884-102-0x0000000000000000-mapping.dmp

memory/884-104-0x0000000074571000-0x0000000074573000-memory.dmp

memory/884-105-0x0000000077750000-0x00000000778D0000-memory.dmp

memory/884-107-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/884-106-0x0000000000090000-0x0000000000147000-memory.dmp

memory/544-109-0x0000000000240000-0x00000000002A6000-memory.dmp

memory/544-108-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1412-110-0x0000000003C50000-0x0000000003DAC000-memory.dmp

memory/1412-111-0x0000000002C10000-0x0000000002C1C000-memory.dmp

memory/884-112-0x0000000077750000-0x00000000778D0000-memory.dmp

memory/884-113-0x0000000000090000-0x0000000000147000-memory.dmp

memory/2044-114-0x00000000022E0000-0x0000000002F2A000-memory.dmp

memory/2044-115-0x000000000F230000-0x000000000F23C000-memory.dmp

memory/1296-116-0x0000000002580000-0x0000000002586000-memory.dmp

memory/1412-117-0x0000000003C50000-0x0000000003DAC000-memory.dmp

memory/2044-118-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-17 03:36

Reported

2022-07-17 04:24

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\outlaw.exe" C:\Windows\SysWOW64\charmap.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1gm17q15.exe C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1gm17q15.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "tugx.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\1gm17q15.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Helper 2 = "\"C:\\ProgramData\\Google Helper 2\\1gm17q15.exe\"" C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Helper 2 = "C:\\ProgramData\\Google Helper 2\\1gm17q15.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mahonia = "C:\\Users\\Admin\\AppData\\Roaming\\mahonia.exe" C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\charmap.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\charmap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4548 set thread context of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4852 set thread context of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 3584 set thread context of 0 N/A C:\ProgramData\Google Helper 2\1gm17q15.exe N/A
PID 4928 set thread context of 0 N/A C:\ProgramData\Google Helper 2\1gm17q15.exe N/A
PID 4380 set thread context of 0 N/A C:\ProgramData\Google Helper 2\1gm17q15.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\googleup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\charmap.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\googleup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\notepad.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 2160 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 2160 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 2160 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 2160 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 2160 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 2160 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 2160 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 2160 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 4548 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4548 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4548 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4548 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4548 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\msiexec.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4548 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Users\Admin\AppData\Roaming\googleup.exe
PID 4044 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4044 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe C:\Windows\SysWOW64\charmap.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 4752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 4752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 4752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\googleup.exe C:\Windows\SysWOW64\explorer.exe
PID 4852 wrote to memory of 2840 N/A C:\Windows\SysWOW64\charmap.exe C:\Windows\notepad.exe
PID 2140 wrote to memory of 5088 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 2140 wrote to memory of 5088 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe
PID 2140 wrote to memory of 4044 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 2140 wrote to memory of 4044 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe
PID 2140 wrote to memory of 4852 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\charmap.exe
PID 2140 wrote to memory of 4852 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\charmap.exe
PID 5088 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe C:\ProgramData\Google Helper 2\1gm17q15.exe
PID 5088 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe C:\ProgramData\Google Helper 2\1gm17q15.exe
PID 5088 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe C:\ProgramData\Google Helper 2\1gm17q15.exe
PID 3584 wrote to memory of 4508 N/A C:\ProgramData\Google Helper 2\1gm17q15.exe C:\Windows\SysWOW64\msiexec.exe
PID 3584 wrote to memory of 4508 N/A C:\ProgramData\Google Helper 2\1gm17q15.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

"C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe"

C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

"C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe"

C:\Users\Admin\AppData\Roaming\googleup.exe

"C:\Users\Admin\AppData\Roaming\googleup.exe"

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

C:\Users\Admin\AppData\Local\Temp\523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

C:\Users\Admin\AppData\Roaming\googleup.exe

"C:\Users\Admin\AppData\Roaming\googleup.exe"

C:\Windows\SysWOW64\charmap.exe

C:\Windows\SysWOW64\charmap.exe

C:\Windows\SysWOW64\charmap.exe

C:\Windows\SysWOW64\charmap.exe

C:\Windows\SysWOW64\charmap.exe

C:\Windows\SysWOW64\charmap.exe

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" -c "C:\ProgramData\muFkUXeNTJ\cfgi"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1120 -ip 1120

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x468 0x460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 396

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2140 -ip 2140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1072

C:\ProgramData\Google Helper 2\1gm17q15.exe

/prstb

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

C:\ProgramData\Google Helper 2\1gm17q15.exe

/prstb

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

C:\ProgramData\Google Helper 2\1gm17q15.exe

/prstb

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

Network

Country Destination Domain Proto
US 8.238.111.254:80 tcp
GB 51.105.71.136:443 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
IE 20.190.159.23:443 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 88.221.144.192:80 tcp
US 69.195.135.90:3333 tcp
US 69.195.135.90:3333 tcp
US 69.195.135.90:3333 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsu8484.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/5088-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

MD5 0cd8d6746093c2b02b18e0da737a12d4
SHA1 19ec4c49c3adedb152137254c35bafc8b64407c8
SHA256 800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512 d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e

C:\Users\Admin\AppData\Roaming\driver.reviver.5.24.0.12-patch.exe

MD5 0cd8d6746093c2b02b18e0da737a12d4
SHA1 19ec4c49c3adedb152137254c35bafc8b64407c8
SHA256 800d1d7f8bbdfc6a445bff377f76ee792552232b955b849fa5d86dabd41c16fb
SHA512 d63c431704e91afb4e3180d7a29be0d042094858c841229836910d32e7c0a215e284bb7d66d9897d9405dd4d9ab472e6b61e8b78d4127ae350df21df1157728e

memory/4548-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/4044-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 d7ded77042b691a5c5db7d501a047b9d
SHA1 d4da48a37fbae8f9ae5a0dcf11120374395360d3
SHA256 85767ce14351b0da5fdc03219fa45548ac4d42901ca0aec399eee3043bea0932
SHA512 d26dda75a97539239ec9ad515b4c29738e23a93db411fdcdad7ccb7ee432f4e424085b8061876f6be7ea09f79b1fc93b733f6c5ede294b2ec58dadfb221981e4

C:\Users\Admin\AppData\Local\Temp\nshA3F3.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/5088-140-0x00000000730F0000-0x000000007317F000-memory.dmp

C:\Users\Admin\AppData\Roaming\mahonia.exe

MD5 f2d7e52b6f02da7e308e27681ba27b39
SHA1 b96aba9b3e867c22e29c72e083b14f1865a1c7ff
SHA256 523fc53a3afa854ca34abb66f224281f57467bee9cc0eb10beea5fd14ebf60a9
SHA512 e8e015025b0574e78900c10eaac7d869fec223164181392b2d0683ae87d7a61d645bfed9a1439a586cacc70bb633f5a6d10b7e39b4c5801705bff580412c9623

memory/5088-142-0x0000000000BB0000-0x0000000000BB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssCC6A.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/4548-146-0x0000000002080000-0x0000000002090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ormolu.dat

MD5 483909440b46c664ba6038a008740901
SHA1 7ad5a1f895cb5b79838f3a65130242b441a47774
SHA256 4669de9e3c6e60e94071e8163e5f958f244b468e7809dae38679100a5e5382d7
SHA512 c3d5e5842ac07809135205a4a07e562760b70be2f41411352b1c8c9372079087cef1517886f9362df00e2e8706199fb3bcbedbdcb4d142532f2e03a4330baaab

memory/4724-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sheaves.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/4044-151-0x00000000020E0000-0x00000000020F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sheaves.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/4752-152-0x0000000000000000-mapping.dmp

memory/4752-153-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Roaming\googleup.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/4752-156-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4752-157-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bassmod.dll

MD5 780d14604d49e3c634200c523def8351
SHA1 e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256 844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512 a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

memory/4708-159-0x0000000000000000-mapping.dmp

memory/1120-160-0x0000000000000000-mapping.dmp

memory/4852-161-0x0000000000000000-mapping.dmp

memory/4852-162-0x0000000002A50000-0x0000000002B2D000-memory.dmp

memory/2840-168-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2840-169-0x000000000050F100-mapping.dmp

memory/2840-170-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4752-171-0x0000000002150000-0x00000000021B6000-memory.dmp

memory/2840-172-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2840-174-0x0000000000400000-0x0000000000516000-memory.dmp

C:\ProgramData\muFkUXeNTJ\cfgi

MD5 792b9a57910488bfcaf0aceda862c5dc
SHA1 a98ee7e47d0bb5a35d3d7faf8cc3b74df913a850
SHA256 783e3980ac7da061148480b97a3eed6d89c737048ca42c72a1a80916160c9202
SHA512 3c62960876426b1d1eae3cc8cb45d5045c177f521ce34c7674edd5307202ca735b054cd109ac0c411c4c200f5c6e72c294b948927c161a6d84dbd1a6ef387166

memory/4752-176-0x0000000002150000-0x00000000021B6000-memory.dmp

memory/4752-178-0x00000000026A0000-0x00000000026AC000-memory.dmp

memory/4752-177-0x0000000000690000-0x000000000069D000-memory.dmp

memory/2840-179-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll

MD5 13249bc6aa781475cde4a1c90f95efd4
SHA1 0d8698befd283ca69d87ce44dad225ef792b06da
SHA256 3922a8c1b0f58b74fc3d89d7eec3fe5c5b0e8bda6b36491d2380431dd8e8284a
SHA512 aec8b793c4a1c9789af70fdaad3aa473a581585e8b76669d187cabe6c88363bacbed28200dd8f243f9dd50fc8fc27339f0e687341024d466a4d5078c28a768d2

memory/2140-181-0x0000000000000000-mapping.dmp

memory/4752-182-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4752-183-0x0000000002150000-0x00000000021B6000-memory.dmp

memory/2140-184-0x0000000000270000-0x00000000006A3000-memory.dmp

memory/2140-185-0x0000000000180000-0x0000000000237000-memory.dmp

memory/5088-186-0x0000000003D50000-0x0000000003E07000-memory.dmp

memory/4044-187-0x00000000038F0000-0x00000000039A7000-memory.dmp

memory/2140-188-0x0000000000180000-0x0000000000237000-memory.dmp

memory/2840-189-0x0000000000400000-0x0000000000516000-memory.dmp

C:\ProgramData\Google Helper 2\1gm17q15.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/3584-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsr55ED.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/5088-193-0x0000000003D50000-0x0000000003E07000-memory.dmp

memory/4044-194-0x00000000038F0000-0x00000000039A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ormolu.dat

MD5 144122cff6bbfa2a8ed2218d049721fe
SHA1 d7013033eecb8c4f1a34c4604bc3cf38a52b5a52
SHA256 c95991ff55bb92fd123085b4242201693314c2052db05124519a68a1b6480ffd
SHA512 82dbdbfc5c69906c5b421065f6afa53c443d4dbea8931d0ad119d0d628e1ab5e17b68c139ac5b6b426be72fb7742c2d19131dae569c33463754b982620e0c2ab

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/3584-199-0x00000000026D0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/4508-200-0x0000000000000000-mapping.dmp

C:\ProgramData\Google Helper 2\1gm17q15.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/4928-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nssBCB6.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ormolu.dat

MD5 483909440b46c664ba6038a008740901
SHA1 7ad5a1f895cb5b79838f3a65130242b441a47774
SHA256 4669de9e3c6e60e94071e8163e5f958f244b468e7809dae38679100a5e5382d7
SHA512 c3d5e5842ac07809135205a4a07e562760b70be2f41411352b1c8c9372079087cef1517886f9362df00e2e8706199fb3bcbedbdcb4d142532f2e03a4330baaab

memory/4928-208-0x0000000002180000-0x0000000002190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/1160-209-0x0000000000000000-mapping.dmp

C:\ProgramData\Google Helper 2\1gm17q15.exe

MD5 7bf0b17bdb0de1668e13502c74ed6cb6
SHA1 f42777d66eb75c3f2f560e7ec8b1d5d068b99a78
SHA256 de94226a21c3200dd5c2f63f845c4333ef8fcab922311e10a4191da68a2879bb
SHA512 fcb042a1dfbfde4fe67ebca05b8979601767f948cef31d59b0e941588a3d56e218265e83e7e8411e70eabf355ed6745958f1e810f8825058272be06c03c44e77

memory/4380-210-0x0000000000000000-mapping.dmp

memory/5088-212-0x00000000730F0000-0x000000007317F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsqF838.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/4852-214-0x0000000002DE0000-0x0000000002E97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ormolu.dat

MD5 483909440b46c664ba6038a008740901
SHA1 7ad5a1f895cb5b79838f3a65130242b441a47774
SHA256 4669de9e3c6e60e94071e8163e5f958f244b468e7809dae38679100a5e5382d7
SHA512 c3d5e5842ac07809135205a4a07e562760b70be2f41411352b1c8c9372079087cef1517886f9362df00e2e8706199fb3bcbedbdcb4d142532f2e03a4330baaab

memory/4380-219-0x0000000002280000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

C:\Users\Admin\AppData\Local\Temp\Ashkhabad.dll

MD5 17a4c0292cb99df37a87c7b8f2587847
SHA1 94f9ce48130d12171396a213949d7ddca06e9eae
SHA256 c9b576460ccb389e13ae2b9b8cd7cced9a4872ac1845ec7fd2b0325563a9ccb3
SHA512 62205b025a1b6659231220b37b7b51c53f156f6a1853b8916de105f63c33b7962c71e36acf0ecfa4256fc04ca1304e310d68895cd370b6be76518960a622c567

memory/688-220-0x0000000000000000-mapping.dmp