Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-q3zcwacg69
Target b2483ad0a449f083de08dfc3f6ea52d5
SHA256 2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832

Threat Level: Known bad

The file b2483ad0a449f083de08dfc3f6ea52d5 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Blocks application from running via registry modification

UPX packed file

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 13:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 13:47

Reported

2024-03-04 13:50

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\sysa.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\winsystem.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\sysb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\sysa.exe N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\winsystem.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\sysb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\sysa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\winsystem.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A
N/A N/A \??\c:\windows\sysb.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\sysa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\X: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\Y: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\H: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\I: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\J: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\Z: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\E: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\G: \??\c:\windows\winsystem.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\oeminfo.ini C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\SysWOW64\WindowsProtection.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\SysWOW64\oemlogo.bmp C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\WinSys32.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\system\oeminfo.ini C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\sysa.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\windows.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\WinSystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\WinSystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\system\oemlogo.bmp C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\winsystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\sysb.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\sysb.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysb.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\MonitorSetup.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\sysa.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\runrunrun.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysb.exe N/A
File created \??\c:\windows\windows.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\Win System.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\WinSys32.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\SystemMonitor64.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\Win System.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\MonitorMission.run C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysb.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "Application" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "Application" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\NeverShowExt \??\c:\windows\sysb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\ = "Open" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\ = "Open" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysa.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000055587379122041707044617461003c0008000400efbe55587379555873792a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open\command\ = "c:\\windows\\windows.exe" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dat \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exed\ = "exedfile" \??\c:\windows\sysa.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000006458fc6d102054656d700000360008000400efbe555873796458fc6d2a00000001020000000002000000000000000000000000000000540065006d007000000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\NeverShowExt \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8\ = "Application" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ttffile\ = "Application" \??\c:\windows\sysa.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "Application" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd\ = "cfgFile" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon\ = "C:\\windows\\windows.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd\ = "cfgFile" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ttffile\ = "Application" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bin \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command\ = "\"%1\" %*" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus\Command\ = "C:\\windows\\MonitorMission.run" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\winsystem.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.MDBFile\ = "Application" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "Application" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Scan for Virus\Command \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.LockFile.14\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exc\ = "excfile" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exed \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cvd \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" \??\c:\windows\sysa.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As\Command \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exc \??\c:\windows\sysb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
N/A N/A \??\c:\windows\winsystem.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A
N/A N/A \??\c:\windows\sysb.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 2604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 2604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 2604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 2604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 1940 wrote to memory of 1556 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 1556 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 1556 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 1556 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1556 wrote to memory of 836 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 1556 wrote to memory of 836 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 1556 wrote to memory of 836 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 1556 wrote to memory of 836 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 1940 wrote to memory of 2180 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 2180 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 2180 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1940 wrote to memory of 2180 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe

"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"

\??\c:\windows\explorer.exe

c:\windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

\??\c:\windows\winsystem.exe

c:\windows\winsystem.exe

\??\c:\windows\sysa.exe

c:\windows\sysa.exe

\??\c:\windows\sysb.exe

c:\windows\sysb.exe

\??\c:\windows\sysa.exe

c:\windows\sysa.exe

Network

N/A

Files

memory/2604-0-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Windows\windows.exe

MD5 b2483ad0a449f083de08dfc3f6ea52d5
SHA1 b2564a83daff947b6cd8bd991c3c97da2b486cc5
SHA256 2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
SHA512 c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6

memory/3040-31-0x0000000003740000-0x0000000003750000-memory.dmp

memory/3040-30-0x0000000003730000-0x0000000003731000-memory.dmp

memory/2604-72-0x00000000024D0000-0x0000000002527000-memory.dmp

memory/2604-71-0x00000000024D0000-0x0000000002527000-memory.dmp

memory/1940-74-0x0000000000400000-0x0000000000457000-memory.dmp

\??\c:\encrypt.txt

MD5 b3b020c4b060bfe84fbbb424221f1073
SHA1 eb9e62232504b9180f8a3f718b64cb68e4149b2c
SHA256 c13cda99ef7b0a48b7829d4a586483a0c09d0bc2400bf44dbb9efe2fb9c4f2fc
SHA512 57c216c612b2c8069a7f3dc8f61f8076d0f1c03dd933699f7fcd9a792e3c907e301575af6021f370809f6f2e0d2efa2ddcf4b6411d056890c728aabb5436a708

memory/2604-117-0x0000000000400000-0x0000000000457000-memory.dmp

\??\c:\windows\SysWOW64\oemlogo.bmp

MD5 be6708e2d2b827b96986be51f0fe3c49
SHA1 b2ac649475b1561ce74416ca12187e688c2c82ba
SHA256 ace4b11d1720f686532407398bf8de75f32dda63cf237d50dd7fbc25612e0af0
SHA512 a3f7f06c95eee2cb828ea060e2b618746c8b423602e257a360961744b8b8d57e37e9ba575162be8c8fc3eed9b7792911211ac71eb5c63a57eee42e14a9e09312

\??\c:\windows\SysWOW64\oeminfo.ini

MD5 d7f66fc25609ee73edc3fd6b255ff55e
SHA1 9a7dd2784e53f4a55d0d26d24ca20ec1c937cc7b
SHA256 d23bc4f30a9e5f0fedd7688435045bfe6c961c9fea4878b493d15e98aae0446c
SHA512 e67612ac8822765e51b071b3f264175527a34378e5eca05196f76d2685be3ad36dae8e5d178890cedbc1ac3364eb875b01ba632332a8c68057ca094d3385f876

\??\c:\windows\system\oeminfo.ini

MD5 1426be8632f29a0c2c879c8c533b0aa8
SHA1 08b8b741ed94a760afd6995695aa5fa3fe0bbd6d
SHA256 341c01d668bdcbe49dabce3bc5a18b85b773f0ad9dca12bceb73b0d29cd32707
SHA512 168be384a3826c6e74bb606da4f607b9d4b3f5cc28c383f7e1bf455ba8f915906c3295416c005e3de1757ef379a610cbcb35e6dbcc3cf5154cb973055ef19bdd

memory/1940-121-0x0000000002670000-0x00000000026C7000-memory.dmp

memory/1940-119-0x0000000002670000-0x00000000026C7000-memory.dmp

memory/1556-169-0x0000000002AD0000-0x0000000002B27000-memory.dmp

memory/836-173-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1556-216-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-218-0x0000000002670000-0x00000000026C7000-memory.dmp

memory/3040-264-0x0000000003730000-0x0000000003731000-memory.dmp

memory/1940-275-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-276-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-277-0x0000000002670000-0x00000000026C7000-memory.dmp

memory/836-282-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-283-0x0000000002670000-0x00000000026C7000-memory.dmp

memory/2180-296-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-305-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-381-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-439-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2180-459-0x0000000000400000-0x0000000000457000-memory.dmp

memory/836-477-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-501-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-571-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-632-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-661-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1940-690-0x0000000000400000-0x0000000000457000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 13:47

Reported

2024-03-04 13:50

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\windows\\Sysa.exe" \??\c:\windows\sysa.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\sysb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\sysa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\windows\winsystem.exe N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\sysa.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\winsystem.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" \??\c:\windows\sysb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\winsystem.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A
N/A N/A \??\c:\windows\sysb.exe N/A
N/A N/A \??\c:\windows\sysa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explores = "C:\\BootEx.exe" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SysMonitor = "C:\\windows\\sysa.exe" \??\c:\windows\sysb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\Z: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\J: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\G: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\H: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\I: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\K: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\Y: \??\c:\windows\winsystem.exe N/A
File opened (read-only) \??\E: \??\c:\windows\winsystem.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\WindowsProtection.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oemlogo.bmp \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\SysWOW64\oemlogo.bmp C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsProtection.exe \??\c:\windows\winsystem.exe N/A
File created \??\c:\windows\SysWOW64\oeminfo.ini C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SysWOW64\oeminfo.ini \??\c:\windows\sysa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\sysb.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\windows.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\system\oemlogo.bmp C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\WinSys32.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\MonitorMission.run C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\sysa.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\WinSys32.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\windows.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\Win System.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysb.exe N/A
File created \??\c:\windows\system\oeminfo.ini C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\runrunrun.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\SystemMonitor64.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\winsystem.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\windows.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\sysa.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\winsystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorMission.run \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\WinSystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\MonitorSetup.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\runrunrun.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\system\oeminfo.ini \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\Win System.exe \??\c:\windows\sysb.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\sysb.exe N/A
File created \??\c:\windows\WinSystem.exe \??\c:\windows\sysa.exe N/A
File created \??\c:\windows\WinSystem.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\MonitorSetup.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\sysb.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A
File opened for modification \??\c:\windows\system\oemlogo.bmp \??\c:\windows\winsystem.exe N/A
File opened for modification \??\c:\windows\SystemMonitor64.exe \??\c:\windows\sysa.exe N/A
File opened for modification \??\c:\windows\Win System.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" \??\c:\windows\winsystem.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open\command\ = "c:\\windows\\windows.exe" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.run \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\ = "Application" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\NeverShowExt \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\Command\ = "\"%1\" %*" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exc \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.dat\ = "cfgFile" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Search\Command\ = "C:\\windows\\MonitorMission.run" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\ = "Application" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Run As\Command \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\ = "Application" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command\ = "\"%1\" %*" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\NeverShowExt \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\NeverShowExt \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "Application" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open\command \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\ = "Application" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exed \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.com \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\DefaultIcon \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\ = "Application" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\shell\open\command \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cfg\ = "cfgFile" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\winsystem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\ = "C:\\windows\\windows.exe" \??\c:\windows\sysa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.run \??\c:\windows\winsystem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\ = "Application" \??\c:\windows\sysb.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000005a583d711100557365727300640009000400efbe874f77486458fd6d2e000000c70500000000010000000000000000003a00000000002f07650055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\Shell\Open\ = "Open" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dbfile\ = "%SystemRoot%\\SysWow64\\shell32.dll,3" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\excfile\ = "application" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cfgfile\shell\Open\command\ = "c:\\windows\\windows.exe" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exedfile\DefaultIcon\ = "C:\\windows\\windows.exe" \??\c:\windows\sysa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "cfgFile" \??\c:\windows\sysa.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005a58f176100041646d696e003c0009000400efbe5a583d716458fd6d2e00000077e10100000001000000000000000000000000000000c183b100410064006d0069006e00000014000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.run\ = "exefile" \??\c:\windows\sysb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "cfgFile" \??\c:\windows\sysb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Scan for Virus\Command \??\c:\windows\sysa.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 4628 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\explorer.exe
PID 4628 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 4628 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 4628 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe \??\c:\windows\winsystem.exe
PID 1104 wrote to memory of 4824 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1104 wrote to memory of 4824 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1104 wrote to memory of 4824 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 4824 wrote to memory of 2736 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 4824 wrote to memory of 2736 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 4824 wrote to memory of 2736 N/A \??\c:\windows\sysa.exe \??\c:\windows\sysb.exe
PID 1104 wrote to memory of 4192 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1104 wrote to memory of 4192 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe
PID 1104 wrote to memory of 4192 N/A \??\c:\windows\winsystem.exe \??\c:\windows\sysa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe

"C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5.exe"

\??\c:\windows\explorer.exe

c:\windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\b2483ad0a449f083de08dfc3f6ea52d5

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

\??\c:\windows\winsystem.exe

c:\windows\winsystem.exe

\??\c:\windows\sysa.exe

c:\windows\sysa.exe

\??\c:\windows\sysb.exe

c:\windows\sysb.exe

\??\c:\windows\sysa.exe

c:\windows\sysa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4628-0-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Windows\windows.exe

MD5 b2483ad0a449f083de08dfc3f6ea52d5
SHA1 b2564a83daff947b6cd8bd991c3c97da2b486cc5
SHA256 2fae63b5ac9132e0cbe6ed4804af043bf257ed480e432ff6c4278044a3dbe832
SHA512 c20e9df0cb777326e0b4f1864562e324f9d888977331197479bc3b50b27643b55796f621168c5f84fdfa22f4de6a555f9e2500e7252945e797b4b9c0769daaf6

memory/1104-75-0x0000000000400000-0x0000000000457000-memory.dmp

\??\c:\windows\SysWOW64\oemlogo.bmp

MD5 be6708e2d2b827b96986be51f0fe3c49
SHA1 b2ac649475b1561ce74416ca12187e688c2c82ba
SHA256 ace4b11d1720f686532407398bf8de75f32dda63cf237d50dd7fbc25612e0af0
SHA512 a3f7f06c95eee2cb828ea060e2b618746c8b423602e257a360961744b8b8d57e37e9ba575162be8c8fc3eed9b7792911211ac71eb5c63a57eee42e14a9e09312

\??\c:\windows\SysWOW64\oeminfo.ini

MD5 d7f66fc25609ee73edc3fd6b255ff55e
SHA1 9a7dd2784e53f4a55d0d26d24ca20ec1c937cc7b
SHA256 d23bc4f30a9e5f0fedd7688435045bfe6c961c9fea4878b493d15e98aae0446c
SHA512 e67612ac8822765e51b071b3f264175527a34378e5eca05196f76d2685be3ad36dae8e5d178890cedbc1ac3364eb875b01ba632332a8c68057ca094d3385f876

\??\c:\windows\system\oeminfo.ini

MD5 1426be8632f29a0c2c879c8c533b0aa8
SHA1 08b8b741ed94a760afd6995695aa5fa3fe0bbd6d
SHA256 341c01d668bdcbe49dabce3bc5a18b85b773f0ad9dca12bceb73b0d29cd32707
SHA512 168be384a3826c6e74bb606da4f607b9d4b3f5cc28c383f7e1bf455ba8f915906c3295416c005e3de1757ef379a610cbcb35e6dbcc3cf5154cb973055ef19bdd

\??\c:\encrypt.txt

MD5 b3b020c4b060bfe84fbbb424221f1073
SHA1 eb9e62232504b9180f8a3f718b64cb68e4149b2c
SHA256 c13cda99ef7b0a48b7829d4a586483a0c09d0bc2400bf44dbb9efe2fb9c4f2fc
SHA512 57c216c612b2c8069a7f3dc8f61f8076d0f1c03dd933699f7fcd9a792e3c907e301575af6021f370809f6f2e0d2efa2ddcf4b6411d056890c728aabb5436a708

memory/4628-118-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4824-209-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4824-300-0x0000000000400000-0x0000000000457000-memory.dmp

\??\c:\encrypt.txt

MD5 a18431860b53b3d76768c72d03ed0f6b
SHA1 97d8589ccf254c187a517e0dd00f0f31086edbdb
SHA256 1ec66eaee1724701915130be8778f675d215000c66c722362670d5330aab2812
SHA512 82ccdac7469c19a7fade57aeef57bacb69448dc23ea1ca0d6e7340bf54e216425f5adf5a9008c1c8c60f3a968f82fa18e380974e6724c25ec2087efa92705de9

memory/1104-362-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2736-375-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4192-376-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-391-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-392-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-421-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-468-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-503-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-542-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2736-547-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4192-548-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-563-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-592-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-623-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-674-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-695-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-724-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-745-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1104-774-0x0000000000400000-0x0000000000457000-memory.dmp