Malware Analysis Report

2025-08-05 21:11

Sample ID 231231-lrp8lsgdc8
Target 316eb3f6e252e406b1815bd650088156
SHA256 ef1f7115e0dedca5a41da22ac3476c3f1a27bb21e77c6ad6eaaac5843f3b9788
Tags
persistence upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ef1f7115e0dedca5a41da22ac3476c3f1a27bb21e77c6ad6eaaac5843f3b9788

Threat Level: Shows suspicious behavior

The file 316eb3f6e252e406b1815bd650088156 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx vmprotect

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 09:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 09:46

Reported

2024-01-10 05:19

Platform

win10v2004-20231215-en

Max time kernel

109s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 5116 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 5116 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 3588 wrote to memory of 3888 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3588 wrote to memory of 3888 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3588 wrote to memory of 3888 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 5116 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 5116 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 5116 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 5116 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 5116 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 5116 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 4120 wrote to memory of 1992 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4120 wrote to memory of 1992 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4120 wrote to memory of 1992 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 3788 wrote to memory of 5080 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 3788 wrote to memory of 5080 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 3788 wrote to memory of 5080 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 5116 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 5116 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 5116 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

Processes

C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe

"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"

C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe

"C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4680 -ip 4680

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 520

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 127.0.0.1.in-addr.arpa udp
US 8.8.8.8:53 stun01.sipphone.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
IE 20.223.35.26:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
CN 61.139.219.200:80 udp
GB 96.16.110.114:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 20.82.154.241:443 tcp
US 8.8.8.8:53 udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
GB 88.221.135.217:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
GB 88.221.135.217:80 tcp
GB 96.17.179.55:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 20.82.154.241:443 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.19:443 tcp
US 8.8.8.8:53 udp
N/A 92.123.241.104:80 tcp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.67:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 96.17.179.67:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
N/A 96.17.179.67:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.55:80 tcp
GB 88.221.135.217:80 tcp
GB 96.17.179.55:80 tcp
GB 96.17.179.55:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 udp

Files

memory/3588-6-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3888-14-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3588-8-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3588-7-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4680-24-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/4680-28-0x0000000002510000-0x0000000002511000-memory.dmp

memory/4680-29-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/4680-27-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4680-26-0x00000000022A0000-0x00000000022EB000-memory.dmp

memory/4680-25-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/3588-23-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3588-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/5080-56-0x0000000000F60000-0x0000000000FAB000-memory.dmp

memory/5080-55-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/4120-54-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5080-53-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5080-52-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/5080-48-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/1992-47-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/3788-46-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1992-44-0x00000000023E0000-0x000000000242B000-memory.dmp

memory/1992-42-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/1992-41-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/4120-39-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4628-72-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4628-70-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 09:46

Reported

2024-01-10 05:18

Platform

win7-20231129-en

Max time kernel

141s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File created C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 3064 wrote to memory of 2560 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2948 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2480 wrote to memory of 2964 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 592 wrote to memory of 476 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 592 wrote to memory of 476 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 592 wrote to memory of 476 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 592 wrote to memory of 476 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 2948 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

Processes

C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe

"C:\Users\Admin\AppData\Local\Temp\316eb3f6e252e406b1815bd650088156.exe"

C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe

"C:\Users\Admin\AppData\Local\Temp\KK44KK.exe_06A8DAB52E63F2F20A38FBA8E68910809B7FB85F.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp

Files

memory/3064-13-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2560-30-0x0000000003770000-0x0000000003974000-memory.dmp

memory/2560-25-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3064-17-0x0000000000250000-0x0000000000252000-memory.dmp

memory/3064-15-0x0000000000230000-0x000000000027E000-memory.dmp

memory/2948-10-0x00000000002C0000-0x000000000030E000-memory.dmp

memory/2600-52-0x00000000003A0000-0x00000000003EB000-memory.dmp

memory/2600-51-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2600-50-0x0000000000020000-0x0000000000038000-memory.dmp

memory/2600-49-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2948-48-0x0000000000250000-0x0000000000268000-memory.dmp

memory/2948-38-0x0000000000250000-0x0000000000268000-memory.dmp

memory/3064-54-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2480-74-0x0000000000400000-0x0000000000415000-memory.dmp

memory/592-86-0x0000000000400000-0x0000000000415000-memory.dmp

memory/476-89-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/476-94-0x00000000008C0000-0x000000000090B000-memory.dmp

memory/592-93-0x0000000000220000-0x0000000000238000-memory.dmp

memory/476-92-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/476-91-0x0000000000990000-0x0000000000991000-memory.dmp

memory/476-88-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2964-82-0x0000000000740000-0x000000000078B000-memory.dmp

memory/2964-80-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2480-79-0x0000000000020000-0x0000000000035000-memory.dmp

memory/2964-78-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2948-70-0x0000000000250000-0x0000000000265000-memory.dmp

memory/2948-65-0x0000000000250000-0x0000000000265000-memory.dmp

memory/2948-99-0x0000000000250000-0x0000000000268000-memory.dmp

memory/2600-98-0x0000000000400000-0x0000000000417AB9-memory.dmp

memory/2240-117-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2240-120-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2240-119-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2240-118-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2240-116-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2948-115-0x0000000000250000-0x0000000000267000-memory.dmp

memory/2948-114-0x0000000000250000-0x0000000000267000-memory.dmp

memory/592-126-0x0000000000220000-0x0000000000238000-memory.dmp

memory/2480-133-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2240-136-0x0000000000020000-0x0000000000037000-memory.dmp

memory/2240-135-0x0000000000020000-0x0000000000037000-memory.dmp