Analysis Overview
SHA256
a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23
Threat Level: Known bad
The file VirusShare_a91a9b39b94464b44184730ddf5c9ea2 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
XtremeRAT
Detect XtremeRAT payload
Modifies Installed Components in the registry
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Reads local data of messenger clients
Reads data files stored by FTP clients
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 19:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 19:29
Reported
2024-02-06 19:32
Platform
win7-20231215-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
XtremeRAT
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2} | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2} | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe" | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\GLBSINST.%$D | C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Shell.exe | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| File created | C:\Windows\InstallDir\Shell.exe | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe"
C:\Users\Admin\AppData\Local\Temp\Audio.exe
"C:\Users\Admin\AppData\Local\Temp\Audio.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp
C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp 4736 C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 142.250.27.108:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | limitlessproducts.org | udp |
| NL | 213.227.149.234:80 | limitlessproducts.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\Audio.exe
| MD5 | 1da15a41d35b860551f79024d786f519 |
| SHA1 | 860bc51df0029cff0532659943d696009b894771 |
| SHA256 | 30812fdfa5b8becc827a632c55f61876ab6b8cd86b9046631a4083bb7290e399 |
| SHA512 | 1d292f1d6566afde75a367e63f64ee7e9fc6a7bf7137e6c7c2dfa3cd11e7271455926bcd8d98653454e9af0695ac4afa765b70e2f6e6b7d8c12b420a8606cb32 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 185c5f195d51214fdb80d1672e59d57a |
| SHA1 | 09a02913e68065a37e0f87148702f9a8cccb4088 |
| SHA256 | 7b0123cf0b310370eaaea949a9d788ce9c624a10756376abef82ee897a66d7cc |
| SHA512 | e9c8a68e038ee9a86d31562daf117adeb43b36d50f18c9dbcb17c0001774b0e54579c4557c09e1175d019b50d58d986376ffe116ee224c5099d8e912ae766eaa |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | f49292be194dd4613904ec7567b3c193 |
| SHA1 | 13f8ac638db26f52d21aba7718a2d510a2ffc8b0 |
| SHA256 | 22d0c71c706761ec6ea332263c726354784036b3249a0cf7249d88efdacc7dad |
| SHA512 | 16df111aeb8eb591e92eb1ad97ef0e8cb84460b9ba0cacfb77492336b06451d0e45902433e2c208bc9e25cd27aca621f5d7e4bf08c99ae0f2f483fbad9e17d96 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0356711d2a03c149e13f92abdc228092 |
| SHA1 | d066b4ced711451e34b8fe30a71a34a79edcced2 |
| SHA256 | fda0bb66df788edcb290a2155c10ac563f8c0ccef32584320f11b7b93f655655 |
| SHA512 | 94c8ac5acca5dca1ee06e1c8048a516cbebdbded60ba99974a3e4c35228feb72295a569198302917664913a64892211de54889c0c1002346ebd22a2c96e23e8f |
\Users\Admin\AppData\Local\Temp\Update.exe
| MD5 | 76ba75a7ce68516f5e2a76031e5ec185 |
| SHA1 | 399bed8aef82a85702c48ef3f15c46005fc15979 |
| SHA256 | 8070c926913db533326ef061dffca76550bfe9139a60365be604ca2fcef766eb |
| SHA512 | e7caf3284e2668cc52b976b063ac87ffb09b46ec7b2900dfee87a9d0ea95110b3cc11751de942f254f8962b320be49a5866a120dbc971600a60f3f55ecbc4f54 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 5f652cd730f818bd8d68b1a69d9c8adc |
| SHA1 | 9e82f76ab15208459838659e3fa4cf7f8e17e311 |
| SHA256 | fedb734b3c08e46c988cd7c75c0feff9825b944a4beae07d776da93313695ada |
| SHA512 | 06a5a8d7bd09089c2c3ae4f6c75e588eec0b8e6055e4907de8b4f6abed081ab0f6f3fe9503879c954dec0e255ff8aec2e692f8205444c545bbbe4d05a24a9af4 |
C:\Users\Admin\AppData\Local\Temp\GLB60D5.tmp
| MD5 | 9c4e4277bf7f56318301bcf62452c8e6 |
| SHA1 | 2092162aada654516ae70b1cf75d0b36964f8716 |
| SHA256 | 2aba4c054e4145d684c4814b9311a1fdcf42485a268c945a589afddbec006246 |
| SHA512 | 480576de39cd31529546e6f06eea6fea415d55ec54c1b835493ea23ed220ebf43cff2ab6301d39aed275a4664a7bb47bb9bce3bc37256d31dc1bb7e724e19b3d |
\Users\Admin\AppData\Local\Temp\GLC6181.tmp
| MD5 | 263e81631fb67194dc968dc3f4bdb4e7 |
| SHA1 | 2998697c503a542d5cf1e25a0d0df18fcd38d66c |
| SHA256 | 9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766 |
| SHA512 | 2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb |
memory/2172-48-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2172-50-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2940-47-0x0000000074770000-0x0000000074D1B000-memory.dmp
memory/2568-58-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2712-59-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2568-61-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2940-63-0x0000000074770000-0x0000000074D1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 19:29
Reported
2024-02-06 19:32
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
XtremeRAT
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2} | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C8DF-B266-909E-HB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Shell.exe restart" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysAudio.exe" | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Shell.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\GLBSINST.%$D | C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InstallDir\Shell.exe | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| File created | C:\Windows\InstallDir\Shell.exe | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
| File opened for modification | C:\Windows\InstallDir\ | C:\Users\Admin\AppData\Local\Temp\Update.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Audio.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a91a9b39b94464b44184730ddf5c9ea2.exe"
C:\Users\Admin\AppData\Local\Temp\Audio.exe
"C:\Users\Admin\AppData\Local\Temp\Audio.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp
C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp 4736 C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 2984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2984 -ip 2984
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| NL | 142.250.27.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | limitlessproducts.org | udp |
| NL | 213.227.149.234:80 | limitlessproducts.org | tcp |
| US | 8.8.8.8:53 | 109.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.225:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 234.149.227.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 412341.sytes.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Audio.exe
| MD5 | 1da15a41d35b860551f79024d786f519 |
| SHA1 | 860bc51df0029cff0532659943d696009b894771 |
| SHA256 | 30812fdfa5b8becc827a632c55f61876ab6b8cd86b9046631a4083bb7290e399 |
| SHA512 | 1d292f1d6566afde75a367e63f64ee7e9fc6a7bf7137e6c7c2dfa3cd11e7271455926bcd8d98653454e9af0695ac4afa765b70e2f6e6b7d8c12b420a8606cb32 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | f1a5e2544a09300d88f82f42ce20a1c5 |
| SHA1 | f0700245174c11964cd24839d6d1a9e8ee585a91 |
| SHA256 | df13cc50a687c76718dd31c5b5b24fbeb481010c840dc17fca6888fc3679d002 |
| SHA512 | 757e7db69fc7d1556d4c94abca419dd223beb7ccd162df87a81f9333cd268bab148ff6bbcffb000ce59b054f7b662fe8d58157aef811f34ec977408b9d998f84 |
memory/3160-21-0x0000000073AA0000-0x0000000074051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | ae0d0e3e5b32ff9f838b08d55a53e6b2 |
| SHA1 | 6a4836e23e5becde02e2c3bafa93bfce9bc09fe0 |
| SHA256 | c0aef8e02c85478902be84bc998f1956e3bd66cffa9b9aa23ba0a5275e338fda |
| SHA512 | b5c2eb3f0e9c3a82b1ac83ce67456018825d18580ae46ee85f1965e51e02f67d0b67d8cc1ff53517abbc1c4b0316a2b9c80bb861e88f3c8e01a2eaa4fe20506a |
C:\Users\Admin\AppData\Local\Temp\Update.exe
| MD5 | 76ba75a7ce68516f5e2a76031e5ec185 |
| SHA1 | 399bed8aef82a85702c48ef3f15c46005fc15979 |
| SHA256 | 8070c926913db533326ef061dffca76550bfe9139a60365be604ca2fcef766eb |
| SHA512 | e7caf3284e2668cc52b976b063ac87ffb09b46ec7b2900dfee87a9d0ea95110b3cc11751de942f254f8962b320be49a5866a120dbc971600a60f3f55ecbc4f54 |
memory/3160-36-0x0000000073AA0000-0x0000000074051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GLB41BC.tmp
| MD5 | 9c4e4277bf7f56318301bcf62452c8e6 |
| SHA1 | 2092162aada654516ae70b1cf75d0b36964f8716 |
| SHA256 | 2aba4c054e4145d684c4814b9311a1fdcf42485a268c945a589afddbec006246 |
| SHA512 | 480576de39cd31529546e6f06eea6fea415d55ec54c1b835493ea23ed220ebf43cff2ab6301d39aed275a4664a7bb47bb9bce3bc37256d31dc1bb7e724e19b3d |
memory/3160-39-0x00000000015F0000-0x0000000001600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GLC4249.tmp
| MD5 | 263e81631fb67194dc968dc3f4bdb4e7 |
| SHA1 | 2998697c503a542d5cf1e25a0d0df18fcd38d66c |
| SHA256 | 9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766 |
| SHA512 | 2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | d7fe767c8aa03be3d2d9cb3bddb1c8dd |
| SHA1 | 59c526a40c96ada72615a8efedef3bbfca5ea0bc |
| SHA256 | 424e5dbb23977220abb0867dee308a04a7934dee4f8cf5e837c073ff1161fa3e |
| SHA512 | 8b0d7dc43f66e94ad964871dc2d6ab64079dffbe07002715bce121b472fe767a6baaff0026bc6cec2144e729124b127a02a40982b317b20f1c08b16e3740ba87 |
memory/5064-50-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2984-52-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2912-58-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2760-59-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/2912-61-0x0000000000C80000-0x0000000000C93000-memory.dmp
memory/3160-64-0x00000000015F0000-0x0000000001600000-memory.dmp
memory/3160-63-0x00000000015F0000-0x0000000001600000-memory.dmp
memory/3160-65-0x0000000073AA0000-0x0000000074051000-memory.dmp
memory/3160-66-0x0000000073AA0000-0x0000000074051000-memory.dmp
memory/3160-67-0x00000000015F0000-0x0000000001600000-memory.dmp
memory/3160-68-0x00000000015F0000-0x0000000001600000-memory.dmp
memory/3160-69-0x00000000015F0000-0x0000000001600000-memory.dmp