Malware Analysis Report

2025-08-11 01:35

Sample ID 231207-zderlsfd89
Target 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c
SHA256 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c
Tags
upx vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c

Threat Level: Likely malicious

The file 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c was found to be: Likely malicious.

Malicious Activity Summary

upx vmprotect

Drops file in Drivers directory

VMProtect packed file

Checks computer location settings

UPX packed file

Deletes itself

Unexpected DNS network traffic destination

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 20:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 20:35

Reported

2023-12-07 20:38

Platform

win7-20231025-en

Max time kernel

150s

Max time network

153s

Command Line

winlogon.exe

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\wDOjKt.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\tX4JE35tc0p.eyx C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\qdwVBcqFZntMQx.fss C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\Kxms7VrjRJM3r.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\3fkiDdA971B1B.kgv C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\QKSE4pPPyj4r.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\OZKwcyxNVbO5Si.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\Vv9CGOcxtz.hse C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\zVyEP90AMN8.sys C:\Windows\Explorer.EXE N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 223.5.5.5 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\ \Windows\System32\O2zQWLolu.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\m5fvczD7k0.ecm C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\16aV9eAKorm.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\FwxrhGGC4EN.wne C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\WmDOvJuMedt69.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\DKFDGvpF9jX.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\cbNZJ3Km7kR.uqh C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\ki5hi7pp0x.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\0neucIe3gB68Oj.ryn C:\Windows\Explorer.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\TGRpjZnizhV.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows NT\manifest.json C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\LheHCCCdtcC.sre C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Media Player\4d538cc8.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows NT\4d5397c2.html C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Windows Media Player\3ddc70a0.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows NT\lib\6c41d476.js C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\dakMsuNOTI.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\yDzBCT81uq.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\rihVo3IguMa70u.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\V9GaxaPgJc.xdu C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\AwOUhF8L7q80W5.hns C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows NT\5ccab61c.js C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\np22ThftlWjb6.apu C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\iqdBb2D8eB01.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\thG2TeGzQwH3C.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\OWV3UcV9R1.xrr C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\GMcGaVrb19QLVo.hle C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\9EHNad0dPyUe.qux C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows NT\3ddc7968.js C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Windows Media Player\manifest.json C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Media Player\5ccaa8f0.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\vsPyx6sWs8VdMO.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\lNcq4qeL0wD.qdn C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\R3jcWeQyfPQ.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Media Player\lib\6c41c518.js C:\Windows\Explorer.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\err_2228.log C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
File created C:\Windows\4vV0yNCZt.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\RvbVdxhdgIU.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\MPRSrSX5Ptmd5C.tgg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\1tpK7hZEkNer.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Boyzi3Q16TeMfu.vdt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\xIbu9FjoZRz7.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\70lEBHtTgh.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\WG8KEYZ5XR6CZn.uen C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\8l2cXIzu2w.dxx C:\Windows\Explorer.EXE N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Dwm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\Dwm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 2228 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 2228 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 2228 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 2228 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 2228 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 2228 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3012 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3012 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3012 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe
PID 1232 wrote to memory of 1152 N/A C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe

"C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 de108ad81976e232.vbnm34567.xyz udp
US 114.114.114.114:53 down.magiforet.cn udp
CN 122.189.171.115:443 down.magiforet.cn tcp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 114.114.114.114:53 down.zhangyaping.top udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 down.zhangyaping.top udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 yzzcommon.tyui54345.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 119.167.229.212:443 down.nugong.asia tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:443 down.nugong.asia tcp
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.27:443 apps.game.qq.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 119.36.90.164:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 sp1.baidu.com udp
US 104.193.88.123:443 sp1.baidu.com tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
N/A 234.2.2.2:27878 udp
N/A 233.123.112.211:17181 udp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
CN 119.167.229.212:80 down.nugong.asia tcp
US 8.8.8.8:53 nreprot.nugong.asia udp
CN 118.212.235.231:443 nreprot.nugong.asia tcp
US 8.8.8.8:53 b2rpt.hjkl45678.xyz udp
CN 119.167.229.212:80 nreprot.nugong.asia tcp
CN 42.192.71.187:8088 b2rpt.hjkl45678.xyz tcp
US 8.8.8.8:53 mprrpt.nugong.asia udp
CN 119.167.229.212:80 mprrpt.nugong.asia tcp
CN 122.189.171.111:443 mprrpt.nugong.asia tcp
CN 119.167.229.212:80 mprrpt.nugong.asia tcp
CN 119.167.229.212:80 mprrpt.nugong.asia tcp
CN 119.167.229.212:80 mprrpt.nugong.asia tcp
CN 119.167.229.212:80 mprrpt.nugong.asia tcp

Files

memory/2228-0-0x0000000000F20000-0x0000000000FAF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4773.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2228-488-0x0000000000F20000-0x0000000000FAF000-memory.dmp

memory/1232-652-0x0000000002220000-0x0000000002223000-memory.dmp

memory/1232-656-0x0000000002220000-0x0000000002223000-memory.dmp

memory/1232-654-0x0000000002220000-0x0000000002223000-memory.dmp

memory/1232-658-0x0000000008A80000-0x0000000008B31000-memory.dmp

memory/1232-659-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmp

memory/424-663-0x0000000000870000-0x0000000000898000-memory.dmp

memory/424-661-0x0000000000860000-0x0000000000863000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6581f07197fd48abed1b88afc3e1ca0a
SHA1 604d96025bf04c5302812e974bf58c98ffdb84fc
SHA256 584c154bf4bfdab27ba7d0ad747d876f2a96e9ce2b74143ea68c6f80639464b8
SHA512 56968fcc894e1d7ff6248f2dedcd2850faa7c656dc64e15d0312fd63ef2c37f13558fa46dd62310195fad837d2706c7a7241f8128396669fa095056187867bc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c65ee516ed57d976665f4ba6e7da04d
SHA1 076dfc099b7ac70f80c43cb2d4ba37acb29f35b9
SHA256 542e6148e4732fe84a9060fa8d834d73975d709a93ff84172630359367064371
SHA512 bc1a1ee04e899bdb9d4ede3550a75cffd9c98391ddfcd28b8c0890958d9d60054ac0de818f0039663d1fd1b3137b26e82f79aed333c1d283d0a07828d18b12b1

memory/2228-707-0x0000000000F20000-0x0000000000FAF000-memory.dmp

memory/1232-717-0x0000000037040000-0x0000000037050000-memory.dmp

memory/1232-719-0x0000000008A80000-0x0000000008B31000-memory.dmp

memory/1232-720-0x0000000000870000-0x0000000000898000-memory.dmp

memory/1232-721-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-722-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-723-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/424-724-0x0000000000870000-0x0000000000898000-memory.dmp

memory/1232-725-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-726-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-727-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-728-0x000007FEF57C0000-0x000007FEF5903000-memory.dmp

memory/1232-729-0x000007FEC8790000-0x000007FEC879A000-memory.dmp

memory/1232-730-0x0000000000870000-0x0000000000898000-memory.dmp

memory/1232-732-0x0000000009570000-0x000000000961F000-memory.dmp

C:\Windows\RvbVdxhdgIU.sys

MD5 d15f5f23df8036bd5089ce8d151b0e0d
SHA1 4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256 f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512 feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

C:\Windows\xIbu9FjoZRz7.sys

MD5 5e842a9d9ebc88025471b3bff3e233b9
SHA1 d44ede07cb1fbf4387d5d6ddd700ff87093bcec6
SHA256 f65695ad21125414c001abc88873f7aa828d3d603c82b38d70bac393ba429600
SHA512 204e5cfdeddf5ec9b73b1910a6bc5918b3c4d5341639e41a96fd979c6d48470564706d10bf92175b148a2cb192f53f6f015cae7e8d42a8070a419df0c7bee8f6

C:\Windows\70lEBHtTgh.sys

MD5 64bc1983743c584a9ad09dacf12792e5
SHA1 0f14098f523d21f11129c4df09451413ddff6d61
SHA256 057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA512 9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b3e886f0a26b67c1234b30c755341758
SHA1 8a881fb559672e95834def740fc5ba017879b0db
SHA256 808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA512 66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 94a27ce0e6449be9e955fafd976ee746
SHA1 ac9ca68b1b088d508408966c0e51146d121604ea
SHA256 8e4f059c414fe68ca4521f705a1576adf0b9193ab52b05e0bee6f7a2eee64f8a
SHA512 c3799b80bb7a4a6d40d79740f59050654925a5abe8e780c75e83cfdd3d97bc11bdde0e5495cdd276f0e33112f6e2107d82d057afdb9186cefe139f12b85c8e0c

C:\Windows\1tpK7hZEkNer.sys

MD5 a5739c49ec1255fe87cc5712a66cb7b5
SHA1 ee12e93e77773efaf14ecc114253bfd2fa6cd0eb
SHA256 f4943dc2cdf234ac42fa553c425f2325b03775af4e482de6c58bc0895fc43752
SHA512 2ecb9046fae8bc01d266b162707b8dc145bab64921cb4f492d9e1eb5692bb5dcced1ad9793c20598d27011f300f9ff59c9610b6d13077f8a8cec6c8617b31eba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

MD5 efae7df0182bae8d2f6f9ef7f2cad5d6
SHA1 d16e5be1f81741a192e686072013eabbee03bcfb
SHA256 6bee2767225a97cb4ece1a98374fbfdc807a543f28c8af642f407616d8bf97fd
SHA512 b21ff66a45d26eefd11cbe0cea46466d7c3be1886e62de2733481b725cffa6fa62e3f8d453e6da46942c3be83551b89778327f697baa08492fde142b78d99443

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 9ba47a279b7950e198b6076171704bd8
SHA1 2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA256 1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512 d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

MD5 3fefedd2d651734aab0aff2f8161db56
SHA1 eda0d013d0db080e6477965234bf4db2aceb215e
SHA256 4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA512 0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 af4aa3e6fa5a8265a52988e582ddd77e
SHA1 c45b868f3e3558a1520d0e256da8aa3e2bd76dfb
SHA256 5dd2a58e84528fd54c5514ce1f21492cd4cfcac3d1d5dedc4ea53028562c5e20
SHA512 28141f0a7fc810f3a2df667aff275920837745a03d93478763a364f2c8195c813bd5f517c6a14602b0d52640692b664aa34abf0f57c9fcffde618132d7d16656

memory/1232-850-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1232-852-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1152-851-0x0000000001C00000-0x0000000001CAA000-memory.dmp

memory/1232-854-0x0000000000870000-0x0000000000898000-memory.dmp

memory/1232-856-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1232-858-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1152-853-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1152-860-0x00000000002D0000-0x00000000002D3000-memory.dmp

memory/1152-864-0x00000000002D0000-0x00000000002D3000-memory.dmp

memory/1152-865-0x00000000002D0000-0x00000000002D3000-memory.dmp

memory/1152-866-0x0000000002050000-0x00000000020FF000-memory.dmp

memory/1232-868-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/1152-867-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1152-870-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1232-869-0x0000000009620000-0x0000000009624000-memory.dmp

memory/1232-871-0x000007FEF57C0000-0x000007FEF5903000-memory.dmp

memory/1232-873-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1232-872-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1232-874-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1232-875-0x0000000009570000-0x000000000961F000-memory.dmp

memory/1152-876-0x0000000002050000-0x00000000020FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 20:35

Reported

2023-12-07 20:38

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

155s

Command Line

winlogon.exe

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\D1CltxeOyoGr.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\jHRoeAFgqYE.rbo C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\cs8qTQoOxQSb.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\DUINA904MnE.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\KKeU9IESqFy.ser C:\Windows\Explorer.EXE N/A
File created C:\Windows\System32\drivers\hfvaUtE.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\hlDyMnuCjVq.jvt C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\Cl0CvJZp9u6v.ipi C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\drivers\fYXxilOc1zJlLd.sys C:\Windows\Explorer.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 223.5.5.5 N/A N/A
Destination IP 114.114.114.114 N/A N/A
Destination IP 114.114.114.114 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wfRL5FwoGaHI.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\5Ubk0dgeBM4yca.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\hK3M2hODYcpEd.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\pBKj4GOZ5ytc.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\I4OrQnf0D421.zmi C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\XFjykBF86wgB.bws C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\nczHPBaF7s.xna C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\system32\1Ih8uylF6j.tmp C:\Windows\Explorer.EXE N/A
File created C:\Windows\system32\ \Windows\System32\nXrO1knf.sys C:\Windows\Explorer.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Defender\lib\646abf1e.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\NSyb6HvrmI.vma C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\4gfHBrm6akG.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Defender\manifest.json C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Defender\396191c8.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\GTx2PoiY0ARvqP.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\cNhlSRZIKNAP.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\manifest.json C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\OHe64hHS3P1s.zbe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\nqvNB24hD7Zm.hdh C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\YMBlU0Om7i.uwg C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\GHA1yTsNIAMDc.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\lib\646b3b03.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\CGy7V865uC4.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\0qLRK7y485MI8.iyi C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\noUpG2oY1Ydjp3.umm C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Defender\47b9f63a.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\3961d894.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\5612c4de.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Defender\56125aac.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Mbb3Xqae5AFVl4.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSZ7Kj98gXYj.cwv C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\hJcxcuJ0R3vz.jlj C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\a6m9w6guNHVGK.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Sv6MZ4eRGkUb.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\47ba4eb9.html C:\Windows\Explorer.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rS6uloi3.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\mE07feRYtg.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\AiDlWo8jM7.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\o80UeuxzQleSN.niq C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\0rjtIRLymI.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\jIOpezU3b2e.sys C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\err_3760.log C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
File opened for modification C:\Windows\3JgQeWDmjpNtR.evl C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\MsTIRRfNK9a3.pyc C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\LNMDTZ3Tcl.nka C:\Windows\Explorer.EXE N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\Explorer.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\Explorer.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 3760 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 3760 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 3760 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 3760 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\Explorer.EXE
PID 3760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 3760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 3760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 3760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 3760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\system32\winlogon.exe
PID 3760 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4748 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4748 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe
PID 3276 wrote to memory of 1016 N/A C:\Windows\Explorer.EXE C:\Windows\system32\dwm.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe

"C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 27.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 de108ad81976e232.vbnm34567.xyz udp
US 114.114.114.114:53 down.magiforet.cn udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.114.114.114.in-addr.arpa udp
CN 122.189.171.115:443 down.magiforet.cn tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 115.171.189.122.in-addr.arpa udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 5.5.5.223.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 114.114.114.114:53 down.zhangyaping.top udp
CN 223.5.5.5:53 dns.alidns.com udp
US 8.8.8.8:53 down.zhangyaping.top udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 114.114.114.114:53 down.hjkl45678.xyz udp
CN 122.246.12.168:443 down.hjkl45678.xyz tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.tyui54345.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 f0b526d3a42e13ea.zxcv56745.xyz udp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
US 8.8.8.8:53 yzzcommon.tyui54345.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 122.189.171.55:443 down.nugong.asia tcp
US 8.8.8.8:53 55.171.189.122.in-addr.arpa udp
US 8.8.8.8:53 down.nugong.asia udp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 122.189.171.55:443 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
US 8.8.8.8:53 109.235.212.118.in-addr.arpa udp
US 8.8.8.8:53 apps.game.qq.com udp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 101.227.134.49:443 apps.game.qq.com tcp
CN 111.48.138.18:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 49.134.227.101.in-addr.arpa udp
US 8.8.8.8:53 18.138.48.111.in-addr.arpa udp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 sp1.baidu.com udp
US 104.193.88.123:443 sp1.baidu.com tcp
US 8.8.8.8:53 205.48.246.47.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 123.88.193.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
US 8.8.8.8:53 234.235.55.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 234.2.2.2:27878 udp
N/A 233.123.112.211:17181 udp
US 8.8.8.8:53 2.2.2.234.in-addr.arpa udp
US 8.8.8.8:53 211.112.123.233.in-addr.arpa udp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
CN 118.212.235.109:80 down.nugong.asia tcp
US 8.8.8.8:53 nreprot.nugong.asia udp
US 8.8.8.8:53 b2rpt.hjkl45678.xyz udp
CN 122.189.171.55:443 nreprot.nugong.asia tcp
CN 118.212.235.109:80 nreprot.nugong.asia tcp
CN 42.192.71.187:8088 b2rpt.hjkl45678.xyz tcp
CN 118.212.235.109:80 nreprot.nugong.asia tcp
US 8.8.8.8:53 mprrpt.nugong.asia udp
US 8.8.8.8:53 187.71.192.42.in-addr.arpa udp
CN 118.212.235.109:80 mprrpt.nugong.asia tcp
CN 118.212.235.109:80 mprrpt.nugong.asia tcp
CN 42.231.136.215:443 mprrpt.nugong.asia tcp
CN 118.212.235.109:80 mprrpt.nugong.asia tcp
US 8.8.8.8:53 215.136.231.42.in-addr.arpa udp
US 8.8.8.8:53 120.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 128.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3760-0-0x0000000000CE0000-0x0000000000D6F000-memory.dmp

memory/3760-17-0x0000000000CE0000-0x0000000000D6F000-memory.dmp

memory/3276-21-0x00000000024F0000-0x00000000024F3000-memory.dmp

memory/3276-23-0x00000000024F0000-0x00000000024F3000-memory.dmp

memory/3276-26-0x0000000007FA0000-0x0000000008051000-memory.dmp

memory/3276-27-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3276-28-0x00007FFEE45F0000-0x00007FFEE4600000-memory.dmp

memory/3276-25-0x00000000024F0000-0x00000000024F3000-memory.dmp

memory/3276-24-0x0000000007FA0000-0x0000000008051000-memory.dmp

memory/576-31-0x0000017DF1BA0000-0x0000017DF1BC8000-memory.dmp

memory/576-32-0x0000017DF1C90000-0x0000017DF1C91000-memory.dmp

memory/3760-55-0x0000000000CE0000-0x0000000000D6F000-memory.dmp

memory/3276-65-0x00007FFEE45F0000-0x00007FFEE4600000-memory.dmp

memory/3276-66-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-67-0x0000000007FA0000-0x0000000008051000-memory.dmp

memory/3276-68-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-69-0x0000000002600000-0x0000000002601000-memory.dmp

memory/3276-70-0x00000000070F0000-0x00000000070F1000-memory.dmp

memory/3276-71-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-72-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-73-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-74-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3276-75-0x0000000002530000-0x0000000002531000-memory.dmp

memory/576-76-0x0000017DF1C90000-0x0000017DF1C91000-memory.dmp

memory/3276-86-0x0000000008B50000-0x0000000008BFF000-memory.dmp

C:\Windows\mE07feRYtg.sys

MD5 d15f5f23df8036bd5089ce8d151b0e0d
SHA1 4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256 f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512 feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

C:\Windows\AiDlWo8jM7.sys

MD5 dd627bbb8edb4a1072167c8b5fd6e0b5
SHA1 30a624eb46d35d4370000ad4b0339ec8f21bb454
SHA256 b795e8339a35e09a5f807b17c6c56c0d6286915775f4bfe6f2ed765ed4222e93
SHA512 3578fe4c9ca6915580c7517f37017ee35b3b05b1061ee88a59e4feb95702963c52405435424f35a79ee26d2d1574ca274d40d3e624b437a812ec0fc6b377b2a4

C:\Windows\0rjtIRLymI.sys

MD5 64bc1983743c584a9ad09dacf12792e5
SHA1 0f14098f523d21f11129c4df09451413ddff6d61
SHA256 057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA512 9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

C:\Windows\jIOpezU3b2e.sys

MD5 fdbf841adb1f78adca43b1aa3f303d30
SHA1 7a8cee7fffffcc369688d5c48daaa75eddb68156
SHA256 992857e7e9f2ae2458bee53c0156c632303ad5266aeacb95da30c25700f54a76
SHA512 ebbfaef01abc6b5ddb6f14ad0c2c3c1f4288e461d1901898cdaca3cb9a5691a96bd99fe1cbe9f42d84a00cb97852b490e395688c1d65db2cc0337277ff47ec84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

MD5 3fefedd2d651734aab0aff2f8161db56
SHA1 eda0d013d0db080e6477965234bf4db2aceb215e
SHA256 4a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA512 0ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

MD5 77c8cf33c3cf0a216298f3266fc3e856
SHA1 f044d555ebdbe99e06d6f7b0d451e9e883e744c0
SHA256 1c23554232be622460cb06b2c8c9db61b6b7a0ca83fbef8b69b8d957683888b4
SHA512 e34f3fca60c8bf7b77003f73ac02365e12247e113d567b812014d70277365cca75e1bc8e05ec63df97cdb735323f8e8a56cefb051ead603d22a49cbccb4f976d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 9ba47a279b7950e198b6076171704bd8
SHA1 2d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA256 1d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512 d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

MD5 935a9e5d0ec698c565519d6a572d9601
SHA1 cf53a7aac2159cd12cc946f8c8c8f698a32a5d0d
SHA256 5aa2798065cc6b8558acee4889ed1dee7f6204116860480c8c6ab2c34c70a80a
SHA512 1c6db16d154594cf743b99b3fe052070f9c869dd8ee2ff981d33e6cf66e856051bfd4f794e89f76eaceb01e6c86c97fc77729787134bf9f5581c928a057e0b8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 b3e886f0a26b67c1234b30c755341758
SHA1 8a881fb559672e95834def740fc5ba017879b0db
SHA256 808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA512 66f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 1f60ee8de4ef7ef144eacb0bdf14df68
SHA1 d964f46d850f3e5ae3cbff0e0361665d03c84ff5
SHA256 e3ab52ee388317c0affcbe4a640c7b4c9df85ef3a8d62fcbb92ad54b9a5d45ac
SHA512 3c24c4cad705ff49a0af9cc1a89327d16b0cd3f90386e575f0f71e78427aebbbccaf23a976926259fb1182ce4bee4ab13e2c7111c0d6cecfc492d551fa044e35

memory/1016-196-0x000002400A3A0000-0x000002400A3A3000-memory.dmp

memory/1016-197-0x000002400A3A0000-0x000002400A3A3000-memory.dmp

memory/3276-199-0x0000000002600000-0x0000000002601000-memory.dmp

memory/3276-198-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1016-200-0x000002400A3C0000-0x000002400A46F000-memory.dmp

memory/1016-201-0x000002400A580000-0x000002400A581000-memory.dmp

memory/3276-202-0x00000000070F0000-0x00000000070F1000-memory.dmp

memory/1016-203-0x000002400A480000-0x000002400A580000-memory.dmp

memory/3276-206-0x0000000008B50000-0x0000000008BFF000-memory.dmp

memory/3276-208-0x000000000A720000-0x000000000A7CF000-memory.dmp

memory/3276-207-0x0000000007430000-0x0000000007433000-memory.dmp

memory/3276-210-0x0000000008080000-0x0000000008081000-memory.dmp

memory/1016-211-0x000002400AC30000-0x000002400ACDF000-memory.dmp

memory/3276-212-0x0000000007100000-0x0000000007101000-memory.dmp

memory/1016-213-0x000002400A3C0000-0x000002400A46F000-memory.dmp

memory/3276-214-0x00007FF749990000-0x00007FF749991000-memory.dmp

memory/1016-215-0x000002400A480000-0x000002400A580000-memory.dmp

memory/3276-216-0x0000000008C90000-0x0000000008C94000-memory.dmp

memory/3276-217-0x000000000A720000-0x000000000A7CF000-memory.dmp

memory/3276-218-0x0000000008080000-0x0000000008081000-memory.dmp