Malware Analysis Report

2025-08-05 17:23

Sample ID 221031-2t9yssehap
Target 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54
SHA256 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54

Threat Level: Likely malicious

The file 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54 was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Sets service image path in registry

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies system certificate store

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:53

Reported

2022-10-31 22:56

Platform

win7-20220901-en

Max time kernel

60s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ZS3Hh2uG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZS3Hh2uG.sys" C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\L9DgpOL_S1\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\L9DgpOL_S1.sys" C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 1340 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 1340 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 1340 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 1340 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
PID 1340 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
PID 1340 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
PID 1340 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
PID 1896 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
PID 1896 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
PID 1896 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
PID 1896 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
PID 1524 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
PID 1896 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
PID 1468 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT

2001 5399FF9C8181E7600A5D20B9521F8EF6 84

C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Users\Admin\AppData\Local\Temp\eYE5FB0jlh.dat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EYE5FB~1.EXE >> NUL

C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe

C:\Users\Admin\AppData\Local\Temp\ZS3Hh2uG.sys

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\TLYCAG~1.EXE >> NUL

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLHLVV~1 >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 sosowebcache.com udp
CN 103.112.31.51:443 sosowebcache.com tcp
US 8.8.8.8:53 pic.rmb.bdstatic.com udp
DE 185.10.104.115:80 pic.rmb.bdstatic.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
HK 154.39.245.90:10199 tcp
DE 185.10.104.115:80 pic.rmb.bdstatic.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
HK 154.39.245.90:10199 tcp
US 8.8.8.8:53 i4.hoopchina.com.cn udp
NL 101.33.29.223:80 i4.hoopchina.com.cn tcp
HK 154.39.245.90:10199 tcp
US 8.8.8.8:53 i5.hoopchina.com.cn udp
NL 101.33.29.235:80 i5.hoopchina.com.cn tcp
US 8.8.8.8:53 baiduwebcache.com udp
CN 103.112.31.51:443 baiduwebcache.com tcp
HK 154.39.245.90:10199 tcp
HK 154.39.245.90:10199 tcp

Files

memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

memory/1340-55-0x0000000001190000-0x00000000019D8000-memory.dmp

\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

memory/1420-58-0x0000000000000000-mapping.dmp

\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

memory/1340-61-0x00000000045D0000-0x0000000004DB7000-memory.dmp

memory/1340-62-0x00000000045D0000-0x0000000004DB7000-memory.dmp

memory/1420-64-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/1420-65-0x0000000000220000-0x0000000000223000-memory.dmp

memory/1420-66-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/1420-67-0x0000000000400000-0x0000000000BE7000-memory.dmp

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

memory/1340-69-0x0000000000A60000-0x0000000000AAD000-memory.dmp

memory/1340-70-0x0000000000A60000-0x0000000000AAD000-memory.dmp

\Users\Admin\AppData\Local\Temp\jlhLVVvnT

MD5 f79f5ce86c81d6b0edb45a4a92c572af
SHA1 4f8fe0760f075c60831513637935049c697d9725
SHA256 d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA512 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

memory/1896-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT

MD5 f79f5ce86c81d6b0edb45a4a92c572af
SHA1 4f8fe0760f075c60831513637935049c697d9725
SHA256 d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA512 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

memory/1896-74-0x0000000000230000-0x0000000000255000-memory.dmp

memory/1340-76-0x0000000001120000-0x0000000001177000-memory.dmp

memory/1896-77-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1896-78-0x0000000000230000-0x0000000000255000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA

MD5 83343201c58ce331a5de9b207a0542a7
SHA1 678743995d807544cebfbf82d534094f8c356231
SHA256 27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115
SHA512 ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA

MD5 bf590d9a3e929861d2533ff2b328fe40
SHA1 bb59528c458e7c19dbdfd9dac15a8767e7b24964
SHA256 c751a6ab02852b445e2db9e74cc6fc41e131b40c96a961b2a8bd56232476efd0
SHA512 2f4c23130ba5d264a1f81c7ba76ed9bb9f62a4bea6a4bdd3a660110ce25ccb7eabd72509fcc8f02aceb94701c7ecc93fcf80dce278e22ed7d9f60842f1cf73a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1a295f69dfd5c6f54042f8bc5b31a6af
SHA1 d2b64e2902114ce584f382cbd78b06354b6b14f7
SHA256 b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55
SHA512 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3dcf580a93972319e82cafbc047d34d5
SHA1 8528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA256 40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA512 98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e740351645128f3ee51f973ab6fea4ed
SHA1 f7fcad0f25466ba74189bb26b4b3dbcfac91673c
SHA256 79e719147509da5692a81bd47f79fa641df1ca4fd6da17ad843f9a1f627ce820
SHA512 646f47069f063da0d162b0436db60df8abf8f78848a34f8aa3414f7d33f18917ec3e947856aab371cc130c85bddc9179f34f7dd19b99a60d1e9aaefc7a28a82b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 2867ce7d2d7815a64513046b43651098
SHA1 14abccac4b083847bd45b75b2f961658ce102581
SHA256 01edfade18de3223ee71523c90bb063b51b5a06ded7532bad52d1062ec0ab3b3
SHA512 33bc9242ce7f7a6014fc7874b8ee32ac94f92ee3294b503531b0a21102180f6de3133038e43e512666efa95d326c2b6e8a83a7b0a1ef6755bc888dd0a3304ac6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 136889ac23008bfdfefb91c9e5d8a11d
SHA1 8343b8ef34dc565eda256e042b43064cb8017131
SHA256 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5
SHA512 b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 82b7eab0fbc3065bb0ae647388fc9fe7
SHA1 12163d31764664fc87b76e6a5cda91cd7d747cf4
SHA256 3500c638861a2749bf5a498a0d2d59b555e628ac4098d5ff5326b9a5ffd2c579
SHA512 6251943e9e7aca115ccb96e2205894cde8391835bab5ff6f1960b4075c8dee25e732e57e6b4f5204733a9bc7d7a6d6ec5ce3ade23c67f10c2159b00041a0d97d

memory/1896-87-0x0000000003270000-0x00000000032C3000-memory.dmp

memory/1896-88-0x0000000003270000-0x00000000032C3000-memory.dmp

memory/1896-89-0x0000000003590000-0x00000000035F9000-memory.dmp

memory/1896-90-0x0000000003590000-0x00000000035F9000-memory.dmp

\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

MD5 cd3f1df2d4a06ac82cd816bc799dd65e
SHA1 a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256 ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA512 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

memory/1524-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

MD5 cd3f1df2d4a06ac82cd816bc799dd65e
SHA1 a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256 ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA512 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

memory/1276-95-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe

MD5 cd3f1df2d4a06ac82cd816bc799dd65e
SHA1 a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256 ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA512 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

memory/1340-97-0x0000000001190000-0x00000000019D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe

MD5 4c839dc7014281acda2456d611ac73b7
SHA1 13073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA512 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

memory/1468-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe

MD5 4c839dc7014281acda2456d611ac73b7
SHA1 13073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA512 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

memory/1468-101-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

memory/572-102-0x0000000000000000-mapping.dmp

memory/1468-103-0x000000013FE20000-0x000000013FE57000-memory.dmp

memory/1420-104-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/1340-105-0x0000000000A60000-0x0000000000AAD000-memory.dmp

memory/1340-106-0x0000000001120000-0x0000000001177000-memory.dmp

memory/1896-107-0x0000000000230000-0x0000000000255000-memory.dmp

memory/1896-108-0x0000000003270000-0x00000000032C3000-memory.dmp

memory/1340-109-0x0000000001190000-0x00000000019D8000-memory.dmp

memory/1896-110-0x0000000003590000-0x00000000035F9000-memory.dmp

memory/1148-111-0x0000000000000000-mapping.dmp

memory/1896-112-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT

MD5 f79f5ce86c81d6b0edb45a4a92c572af
SHA1 4f8fe0760f075c60831513637935049c697d9725
SHA256 d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA512 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:53

Reported

2022-10-31 22:56

Platform

win10v2004-20220812-en

Max time kernel

62s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ZSixoSOX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZSixoSOX.sys" C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6m9sZYwATX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\6m9sZYwATX.sys" C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 4996 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 4996 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
PID 4996 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
PID 4996 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
PID 4996 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
PID 1180 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
PID 1180 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
PID 1180 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
PID 3792 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
PID 1180 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
PID 4972 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh

2001 5399FF9C8181E7600A5D20B9521F8EF6 84

C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe

C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Users\Admin\AppData\Local\Temp\BaQBE05jlh.dat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BAQBE0~1.EXE >> NUL

C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe

C:\Users\Admin\AppData\Local\Temp\ZSixoSOX.sys

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0Q6_AU~1.EXE >> NUL

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLH6LW~1 >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 sosowebcache.com udp
CN 103.112.31.51:443 sosowebcache.com tcp
US 8.8.8.8:53 pic.rmb.bdstatic.com udp
DE 185.10.104.115:80 pic.rmb.bdstatic.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
HK 154.39.245.90:10199 tcp
DE 185.10.104.115:80 pic.rmb.bdstatic.com tcp
CN 103.112.31.51:443 sosowebcache.com tcp
HK 154.39.245.90:10199 tcp
US 8.8.8.8:53 i4.hoopchina.com.cn udp
NL 101.33.29.231:80 i4.hoopchina.com.cn tcp
HK 154.39.245.90:10199 tcp
US 8.8.8.8:53 i5.hoopchina.com.cn udp
NL 101.33.29.225:80 i5.hoopchina.com.cn tcp
US 8.8.8.8:53 baiduwebcache.com udp
CN 103.112.31.51:443 baiduwebcache.com tcp
HK 154.39.245.90:10199 tcp
US 93.184.221.240:80 tcp
HK 154.39.245.90:10199 tcp
DE 20.52.64.200:443 tcp

Files

memory/4996-132-0x0000000000CA0000-0x00000000014E8000-memory.dmp

memory/4412-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe

MD5 48eed6e83346784e2213509f4892c0b7
SHA1 d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256 d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA512 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b

memory/4412-136-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/4412-137-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/4412-138-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/4412-139-0x0000000000D80000-0x0000000000D83000-memory.dmp

memory/4996-140-0x0000000004360000-0x00000000043AD000-memory.dmp

memory/4996-141-0x0000000004360000-0x00000000043AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh

MD5 f79f5ce86c81d6b0edb45a4a92c572af
SHA1 4f8fe0760f075c60831513637935049c697d9725
SHA256 d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA512 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh

MD5 f79f5ce86c81d6b0edb45a4a92c572af
SHA1 4f8fe0760f075c60831513637935049c697d9725
SHA256 d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA512 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d

memory/1180-142-0x0000000000000000-mapping.dmp

memory/1180-145-0x0000000000530000-0x0000000000555000-memory.dmp

memory/1180-146-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1180-147-0x0000000000530000-0x0000000000555000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 10c64006105304b4ed0904acce3ba9c1
SHA1 56fa0b3213d539a8a779ef5f88daa6f60e87391b
SHA256 e59e528e19b5a60686b2ac6165ddbc45bd8cd90379ec1bbdfa03a480b9c4fabb
SHA512 bfd168c0239fdd831ee45998f5e6b8bd17adce1155948be5a98b5dffffa14a967e582471511f4236cd9142890bfefe6a132f871555e6da5ab0ec3b692fc1fde8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 136889ac23008bfdfefb91c9e5d8a11d
SHA1 8343b8ef34dc565eda256e042b43064cb8017131
SHA256 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5
SHA512 b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1a295f69dfd5c6f54042f8bc5b31a6af
SHA1 d2b64e2902114ce584f382cbd78b06354b6b14f7
SHA256 b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55
SHA512 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 7da0f0010d9f684e8d08f2715bd5a000
SHA1 cb6e4b8ebac810080212358954384b34991eb7cc
SHA256 797a6c5f4c139b2c785391fb02ed47b1d104c9ec7b2106faca2af18ac0452d57
SHA512 006f3ed99813e211cc5d7c04a1b8585c5f2fe281b332c75fd0122c723278fe4aa6a9f11bb81824ec0e27732062889c32feabdaca0d2ede874b5dbeb7963b4d6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA

MD5 83343201c58ce331a5de9b207a0542a7
SHA1 678743995d807544cebfbf82d534094f8c356231
SHA256 27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115
SHA512 ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA

MD5 c2ed069efa024354f4cace5e63d914a3
SHA1 b6e61c792b1305f6d1f6af8ef63e592f062525c8
SHA256 1871913a75f5f9f5958356c770f7e56a246b1b6c836bf78f59a03c9de789a5e4
SHA512 f0e4b26e7dba8a7db620ff848fbeca96ad33e0352e5a82afe38a320f2033c1c95b85dc406c6980269f9aa30fc0793f859f5fedc0a11bd592f87e57d94286dd54

memory/1180-154-0x0000000003110000-0x0000000003163000-memory.dmp

memory/1180-155-0x0000000003110000-0x0000000003163000-memory.dmp

memory/4996-156-0x0000000000CA0000-0x00000000014E8000-memory.dmp

memory/4412-157-0x0000000000D80000-0x0000000000D83000-memory.dmp

memory/4412-158-0x0000000000400000-0x0000000000BE7000-memory.dmp

memory/4996-159-0x0000000004360000-0x00000000043AD000-memory.dmp

memory/1180-160-0x0000000003B40000-0x0000000003BA9000-memory.dmp

memory/3792-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe

MD5 cd3f1df2d4a06ac82cd816bc799dd65e
SHA1 a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256 ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA512 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe

MD5 cd3f1df2d4a06ac82cd816bc799dd65e
SHA1 a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256 ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA512 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0

memory/1180-164-0x0000000003B40000-0x0000000003BA9000-memory.dmp

memory/1384-165-0x0000000000000000-mapping.dmp

memory/1180-166-0x0000000000530000-0x0000000000555000-memory.dmp

memory/4972-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe

MD5 4c839dc7014281acda2456d611ac73b7
SHA1 13073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA512 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe

MD5 4c839dc7014281acda2456d611ac73b7
SHA1 13073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA512 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea

memory/4312-170-0x0000000000000000-mapping.dmp

memory/4972-171-0x00007FF627F60000-0x00007FF627F97000-memory.dmp

memory/1180-172-0x0000000003110000-0x0000000003163000-memory.dmp

memory/1180-173-0x0000000003B40000-0x0000000003BA9000-memory.dmp

memory/4996-174-0x0000000000CA0000-0x00000000014E8000-memory.dmp

memory/1548-175-0x0000000000000000-mapping.dmp

memory/1180-176-0x0000000000400000-0x0000000000457000-memory.dmp