Malware Analysis Report

2024-09-22 11:23

Sample ID 231228-s4z2xaebh6
Target e75d27a4dec7334e548a776a58137877
SHA256 5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a
Tags
darkcomet hawkeye keylogger rat spyware stealer trojan upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a

Threat Level: Known bad

The file e75d27a4dec7334e548a776a58137877 was found to be: Known bad.

Malicious Activity Summary

darkcomet hawkeye keylogger rat spyware stealer trojan upx persistence

HawkEye

Darkcomet

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-28 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 15:41

Reported

2024-01-09 12:40

Platform

win7-20231215-en

Max time kernel

1s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe"

Signatures

Darkcomet

trojan rat darkcomet

HawkEye

keylogger trojan stealer spyware hawkeye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 1520 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe

"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

"C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

"C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp

Files

memory/1520-2-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1520-1-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/1520-0-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2080-16-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2080-17-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1520-15-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2080-14-0x0000000002040000-0x0000000002080000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 a9751886302ac681869c6c0beabec865
SHA1 1a39348e1dfdc839a4f2653f0a7cb36c254d2c41
SHA256 b86a79fb727e4420d843fffa58a2ecba892baa769bebd87fad161bf9d2c9255f
SHA512 56dcaba0a67bb50a55bae9f6c3cf481174fb4dd0d26ae89a0d737f270b239606919a2f178b80374c901d2f1db32383d020d5d8e5511a6974544ddbbf3c00d3e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 bb7977f22430b90b9776f72a650511e4
SHA1 f908072ae6a9d3eff4a13ec9c404af6f0aac6c40
SHA256 f910d745e60224a9695714e120b58af2ffb5f99b1f519c7ac5afea3399b63ba8
SHA512 52475507052d43dcbdf4d2616d633f9f5d66ee5f3c25756529516243914e7182c9095723ae1c4c662c6692ffe42d52d2f8493dd1b1075ea88270bce1cf853c7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 931b0b7cc648027e2cb923f341ab76a8
SHA1 3643e08f634a0b9c67b1b2235ac4131220b02bce
SHA256 7eff1c09d4ddb22c67cd7137332f874337d161685a8e033621cc8d2baecc09e8
SHA512 314eab5314556499b676d9b529ba4e865fa1996b60f3768518aef3c593639d9ca8848b3aa0326b8c8184c844054cac9c581f014d0a38a9653437e205344ac350

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 97b0eaec006c172b00edb87710972767
SHA1 0d0948ee771abd3c1adc4f20952751eaf38963f0
SHA256 96b9e8ab664b9475398fade240fa617e956b72a35b9482b8aeaa06c602f15c4e
SHA512 06daf878ec4e634c4a77f93cd10e4fd78252d1718bd499c7a8ced4cce2091038b558102fd76a7476478d063c8b4bc85194149c40a0613832fe43e49e30f446df

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 52feb447276ae7744ab3809a19876401
SHA1 a1ce6ec34dc3642b5c60d61d85bc2ae3f806af22
SHA256 7b117b14e6f3b427dc482f9c032b778f8e16b92ff65f971559431cc9998b11b5
SHA512 b07a15a895573d6a936f91b1f08a3d55bdb92887228b8d0185de7a0b113449bf5d561350a2304bf1c0ece803b3314b79cad1aa1e2f16847625c2edfa2d7df930

memory/2816-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-31-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

MD5 7a85c5282e3f340421324fa7263a3084
SHA1 0368779fbf6a7160a45794c010bb17698141fce1
SHA256 daf4c0d09e443f7757c97b5e86757f367eaaf659f4e0722372f3caa919098690
SHA512 89a6d47314dbe311e7df6f0c1c370685d45585cd5a3eeb3a5816e116bbf82378dba1b5c83817e7d28bc26f53a0edc3fbc25e193236a13176ea3dc648d065d26b

memory/2816-44-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-45-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

MD5 7d14209cd266271f0e66fd569938044c
SHA1 bb0313ab985b329334f5cd8f9eccbf1484763a62
SHA256 e6aefa3a8f792fbb9e3d325d1b698649c64f1eeee2ebb8352c4816859ad75f8b
SHA512 b886904f5f06a356e3fd2f1bf4894a90a8646f0606601a7d2b051851000a399c947849573d0aee9223cfde1201e31a475172376e15fe9955b74f923a2c801b05

memory/2984-58-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2984-63-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2816-57-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2984-56-0x00000000008C0000-0x0000000000900000-memory.dmp

memory/2816-50-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2788-49-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2816-54-0x0000000000400000-0x00000000004B5000-memory.dmp

\Users\Admin\AppData\Local\Temp\System\nwtray.exe

MD5 97e7dbef237e8fcc545db83854eed0b6
SHA1 a5f417a4a004c2eb29c46138cd5b0c978b8a9121
SHA256 32f3dace1881c458c4f8f94159d6bd1344bd2b230d742c2a43267c0cd94e2880
SHA512 53c55c6c38952ba6a4edeea942a598d6f21cd0be1e94b0cad86a8705479bb3ce799b85671db36eddde45ca3cd27c912912839e5f230f4b25b0bdd6ccf183a42d

\Users\Admin\AppData\Local\Temp\System\nwtray.exe

MD5 e6c21c397a8d884aaa88e6f97a11cd72
SHA1 47855567bcfdf529fa4eb6a71e805b0c3c28c3be
SHA256 6e0dae9b5e64c3b9e249673a6105a3a8ad0899aad1091177bb63d33e996c4f4b
SHA512 6c4c552443bcc025db9993235e732b5a85c1081524c8f94421cdaed8554411c918646cc97054fe0c35f175293441000727bee6771d54edb6809bb1c7a291018d

C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

MD5 a1e520b6ef395102f9d557887f1117f9
SHA1 cf4f746f80510270909e80d145b805f6ed3b5016
SHA256 d84c9e21245cffb9a046e6a45cbddf2d3f5c317fc85912342b5747ff11966565
SHA512 6e988569fa4f151d5b5c49365758b0d6657763f44359adb22f04c6c63e66a79ff488caeb3f2ebd42826a23459cd283ec7ee65e75062bb569da98914934daea5a

memory/2788-47-0x0000000000170000-0x00000000001B0000-memory.dmp

memory/2788-46-0x00000000742F0000-0x000000007489B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

MD5 38abcaec6ee62213f90b1717d830a1bb
SHA1 d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9
SHA256 6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768
SHA512 77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

memory/2816-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-32-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-25-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2816-23-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 10f8e5ef710815f8042993d8a493148c
SHA1 ca1311ec6a490dd0cae48a970d9bd52347c26a66
SHA256 8b388565259a47221d1ea8753f40c174862c43b0e097026e8e99c7d785aaaea8
SHA512 d81dbf5ede3ae69894fecd63201b1b8b7b5529396643dda74ec96b415d7e50fb53dedf2b784f28e014d61892bd90b41d50f94aa1cad2a6b874c610c79826a157

memory/1520-74-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2080-76-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2816-77-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2080-75-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2788-79-0x0000000000170000-0x00000000001B0000-memory.dmp

memory/2984-80-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2788-78-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/2984-81-0x00000000742F0000-0x000000007489B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 15:41

Reported

2024-01-09 12:40

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe"

Signatures

Darkcomet

trojan rat darkcomet

HawkEye

keylogger trojan stealer spyware hawkeye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvxdsinc.exe" C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 3244 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 3244 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 232 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
PID 232 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
PID 232 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
PID 4476 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
PID 4476 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
PID 4476 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
PID 2992 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe

"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

"C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"

C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

"C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp
US 8.8.8.8:53 75as4d53a1sd.zapto.org udp

Files

memory/3244-0-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3244-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3244-2-0x0000000001950000-0x0000000001960000-memory.dmp

memory/3244-5-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3244-7-0x00000000751F0000-0x00000000757A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 e75d27a4dec7334e548a776a58137877
SHA1 85e46d71cd015e4714459d2fe73f6c9a066199f5
SHA256 5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a
SHA512 28669e18a2ea427fa90f11ec4ed5f024bd3a28a4602bfe091fc6155e3b2f170f9f7f245a0912aa6cca627c6bc9802d4b39a75043c57d6d5e4c4ac3896710755f

memory/3244-11-0x0000000001950000-0x0000000001960000-memory.dmp

memory/232-15-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/232-16-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/232-17-0x00000000751F0000-0x00000000757A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 10f8e5ef710815f8042993d8a493148c
SHA1 ca1311ec6a490dd0cae48a970d9bd52347c26a66
SHA256 8b388565259a47221d1ea8753f40c174862c43b0e097026e8e99c7d785aaaea8
SHA512 d81dbf5ede3ae69894fecd63201b1b8b7b5529396643dda74ec96b415d7e50fb53dedf2b784f28e014d61892bd90b41d50f94aa1cad2a6b874c610c79826a157

memory/3244-20-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3712-25-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-26-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-29-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-28-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

MD5 38abcaec6ee62213f90b1717d830a1bb
SHA1 d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9
SHA256 6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768
SHA512 77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

memory/4476-40-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4476-41-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3712-43-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/4476-42-0x0000000000930000-0x0000000000940000-memory.dmp

memory/3712-44-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-45-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3712-46-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2992-49-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/2992-51-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/2992-52-0x0000000000A60000-0x0000000000A70000-memory.dmp

memory/4236-58-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/232-59-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/232-60-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/4476-61-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4476-62-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4476-63-0x0000000000930000-0x0000000000940000-memory.dmp

memory/2992-64-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/2992-65-0x0000000000A60000-0x0000000000A70000-memory.dmp