Malware Analysis Report

2024-09-22 11:38

Sample ID 230713-y27xmaba48
Target 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
SHA256 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
Tags
newrem remcos hawkeye evasion keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5

Threat Level: Known bad

The file 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5 was found to be: Known bad.

Malicious Activity Summary

newrem remcos hawkeye evasion keylogger persistence rat spyware stealer trojan

Remcos family

UAC bypass

Remcos

HawkEye

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Modifies registry class

Checks SCSI registry key(s)

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-07-13 20:17

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 20:17

Reported

2023-07-13 20:20

Platform

win10-20230703-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Terminal\Terminal.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\Terminal\Terminal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" C:\ProgramData\Terminal\Terminal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\Terminal\Terminal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" C:\ProgramData\Terminal\Terminal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\ \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-5HBYBR = "\"C:\\ProgramData\\Terminal\\Terminal.exe\"" C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 3784 N/A C:\ProgramData\Terminal\Terminal.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3784 set thread context of 4404 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Terminal\Terminal.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\Windows\SysWOW64\cmd.exe
PID 3688 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5068 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\ProgramData\Terminal\Terminal.exe
PID 3688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\ProgramData\Terminal\Terminal.exe
PID 3688 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe C:\ProgramData\Terminal\Terminal.exe
PID 2016 wrote to memory of 4856 N/A C:\ProgramData\Terminal\Terminal.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 4856 N/A C:\ProgramData\Terminal\Terminal.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 4856 N/A C:\ProgramData\Terminal\Terminal.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 3784 N/A C:\ProgramData\Terminal\Terminal.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2016 wrote to memory of 3784 N/A C:\ProgramData\Terminal\Terminal.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2016 wrote to memory of 3784 N/A C:\ProgramData\Terminal\Terminal.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2016 wrote to memory of 3784 N/A C:\ProgramData\Terminal\Terminal.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3784 wrote to memory of 2528 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 2528 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3784 wrote to memory of 2528 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4856 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4856 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3784 wrote to memory of 4404 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3784 wrote to memory of 4404 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3784 wrote to memory of 4404 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3784 wrote to memory of 4404 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3784 wrote to memory of 1680 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 3784 wrote to memory of 1680 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 3784 wrote to memory of 1680 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe

"C:\Users\Admin\AppData\Local\Temp\9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Terminal\Terminal.exe

"C:\ProgramData\Terminal\Terminal.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Network

Country Destination Domain Proto
DE 141.95.16.111:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 111.16.95.141.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
DE 141.95.16.111:2404 tcp
DE 141.95.16.111:2404 tcp
DE 141.95.16.111:2404 tcp
DE 141.95.16.111:2404 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 141.95.16.111:2404 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
DE 141.95.16.111:2404 tcp
DE 141.95.16.111:2404 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

C:\ProgramData\Terminal\Terminal.exe

MD5 5379d703170770355efdbce86dcdb1d3
SHA1 7fdd801486d701ef0f97b4c91bcdd58ee294c593
SHA256 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
SHA512 919336d876b921cba84617f107bca90bcfed9a8c56e921a6aa797451ae993bc3fd25ee568d82c2e2a2282be40c29e11ddfada607202f522ca1089d19f1e57b8a

C:\ProgramData\Terminal\Terminal.exe

MD5 5379d703170770355efdbce86dcdb1d3
SHA1 7fdd801486d701ef0f97b4c91bcdd58ee294c593
SHA256 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
SHA512 919336d876b921cba84617f107bca90bcfed9a8c56e921a6aa797451ae993bc3fd25ee568d82c2e2a2282be40c29e11ddfada607202f522ca1089d19f1e57b8a

C:\ProgramData\Terminal\Terminal.exe

MD5 5379d703170770355efdbce86dcdb1d3
SHA1 7fdd801486d701ef0f97b4c91bcdd58ee294c593
SHA256 9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5
SHA512 919336d876b921cba84617f107bca90bcfed9a8c56e921a6aa797451ae993bc3fd25ee568d82c2e2a2282be40c29e11ddfada607202f522ca1089d19f1e57b8a

memory/3784-148-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-151-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-152-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-154-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-153-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-156-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-157-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-159-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-160-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/4404-161-0x0000000002A00000-0x0000000002A81000-memory.dmp

memory/4404-164-0x0000000002A00000-0x0000000002A81000-memory.dmp

memory/4404-165-0x0000000002A00000-0x0000000002A81000-memory.dmp

memory/4404-166-0x0000000002A00000-0x0000000002A81000-memory.dmp

memory/3784-168-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-167-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-169-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-173-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-177-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-178-0x0000000002F50000-0x0000000002FD1000-memory.dmp

C:\ProgramData\Terminal\logs.dat

MD5 0d7ab98a5fec53557a4948c2a725f381
SHA1 503936ecb29908724655ca0493a5fb8d45ad062e
SHA256 624458eee2ff58fe7c660fbae6a62cda86049961416956de7c0da20a14a1583d
SHA512 648a57dd14eae1d1f6bb51a93a0ebe67891dd3cc9651e1e47f7edc1e08d18232669f7db664e3dbc623ba23c12aca9906b2fe8c606dfb4073b716266ef28eb2af

memory/3784-184-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-185-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-186-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-187-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-188-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-189-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-191-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-192-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-195-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-196-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-197-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-198-0x0000000002F50000-0x0000000002FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 be3382e0791e4b329620970c8a9bb83d
SHA1 e42f214d09aec723f1dbe7b03fe8b2f2a6d1c23b
SHA256 90070892d734c1e6756c61142ddb06cffcdb79000ef3ba820e3f6f776c5cc680
SHA512 ddf747ea94e932bda7b0c26f780905d24c79c428515a705da96d72efe1fc3d18f0cfea5e83b068a41b911afc27e12a957cd2139a798e00e8605e4c7c65c4e249

memory/3784-202-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-204-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-208-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-210-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-211-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-215-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-216-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-218-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-219-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-221-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-222-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-223-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-224-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-225-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-231-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/3784-232-0x0000000002F50000-0x0000000002FD1000-memory.dmp