Malware Analysis Report

2025-08-10 18:08

Sample ID 240507-lfkhzsda96
Target QI.EXE
SHA256 e740b975892814f7e3de95064e387a8849a1bf229428dadc012d326da2a7fb57
Tags
bootkit evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e740b975892814f7e3de95064e387a8849a1bf229428dadc012d326da2a7fb57

Threat Level: Likely malicious

The file QI.EXE was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence

Disables Task Manager via registry modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 09:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 09:28

Reported

2024-05-07 09:36

Platform

win7-20240215-en

Max time kernel

439s

Max time network

440s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QI.exe"

Signatures

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 2960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 2960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 2960 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 2960 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 2960 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 2960 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 2960 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 2960 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 2960 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 2960 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 2960 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 2960 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2960 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2960 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2960 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2960 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 2960 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 2960 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 2960 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 2612 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 2612 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 2612 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 1584 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1972 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 1972 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 1972 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 1972 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 1620 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 1620 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 1620 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 1620 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QI.exe

"C:\Users\Admin\AppData\Local\Temp\QI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

crazyinvers.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

crazywarningicons.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

erroricons.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

1111.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

pizdec.exe

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

MD5 e21bb4749a8b1b6fc26a7bcf57781836
SHA1 89cb0bd80d691ca650ad01551be3acefa2256ebd
SHA256 0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512 b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

MD5 d76f5511907522ebe06e829de7b5ed52
SHA1 090abee096762c74879cc64197201011d09a6928
SHA256 248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776
SHA512 8e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae

C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

MD5 fdad1b564558765657cb835752b47e7c
SHA1 3c94e9acc969b66aab45eb8a60a77b27691950b2
SHA256 9b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5
SHA512 d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

MD5 f1ab5f5c9b58c3079d3184d263a15104
SHA1 870dfbd1219497389eaf590a16cf9011975113c7
SHA256 b20daedd6b3f51a84f7ac88e90aeac6a7f334cb8f5bdae138e10911ca47dc222
SHA512 f99410afd2298e751c6f37f5db3ada32e675bab87c6f14599bc39d0bad89d399283fa0f820bee41dedd260454d6b3749e7460b940ff66519ec8e1aee27efc15d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

MD5 8099c67a9631789db03e90d7b7bf0980
SHA1 4fbf9f44825a1184b24a0d957b20a850f3b07c42
SHA256 88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206
SHA512 c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 bc1e7d033a999c4fd006109c24599f4d
SHA1 b927f0fc4a4232a023312198b33272e1a6d79cec
SHA256 13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512 f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

MD5 7f31508d95be3fe50e4e9aa646e86a12
SHA1 c61b439d6e17d630728f48c09b36af2647940748
SHA256 994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA512 2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

MD5 a44458813e819777013eb3e644d74362
SHA1 2dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA256 47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA512 1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat

MD5 71bdd5f2a82ddb4537898c420327c080
SHA1 a6a67d3b0b8eb6a23f1da06e264c57ead3f3c579
SHA256 9b621f3f99c45ffe166a2389f3285110c4c2a189dd1ce95145778bc97c6464c1
SHA512 76f522afdf779e36bf385f4ebf3ff0567f9675d1e3fa7b5648380e0e48dbdc0ffe2005642831e58910c242715aeec85a1b0c7ab43470d145a64913d7fe3711e2

memory/2480-108-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1912-109-0x0000000000400000-0x0000000000653000-memory.dmp

memory/2104-107-0x0000000000400000-0x0000000000541000-memory.dmp

memory/2716-106-0x0000000000400000-0x0000000000582000-memory.dmp

memory/1912-113-0x0000000000400000-0x0000000000653000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

MD5 f35633ae6d4ed40fce9b5b62dd575d79
SHA1 df952be90c5447bac8db8a3bb2c31d6820a9e2a0
SHA256 97b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c
SHA512 4b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952

memory/1620-228-0x000000002AA00000-0x000000002AA05000-memory.dmp

memory/2348-236-0x000000002AA00000-0x000000002AA05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 d94e00dfb41542029aaf53f329f33c7d
SHA1 010eac3cd5e1d2312930091c6c804f4c5ad58dde
SHA256 82af09d3c68b25a393879906b7197f4dbe30c3dbe1b9b2817eefddea6d96cb03
SHA512 dec4743ce68538395b4915e8fd3f932a02ee08d82ac899b278ea91c44e747076353a81a48de04ff4e4513d2b7e3764c564240319e4975dd00920f78189582639

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 09:28

Reported

2024-05-07 09:33

Platform

win10v2004-20240426-en

Max time kernel

317s

Max time network

319s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QI.exe"

Signatures

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QI.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2229298842\2573727926.pri C:\Windows\system32\LogonUI.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\QI.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 3484 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 3484 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
PID 3484 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 3484 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 3484 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
PID 3484 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 3484 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 3484 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
PID 3484 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 3484 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 3484 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 3484 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 3484 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
PID 3484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 4000 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
PID 2696 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4376 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4376 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4376 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4376 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 4376 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 4376 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe
PID 3000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe C:\Users\Admin\AppData\Local\Temp\sys3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QI.exe

"C:\Users\Admin\AppData\Local\Temp\QI.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

crazyinvers.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

crazywarningicons.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

erroricons.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

1111.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

pizdec.exe

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38c3855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 23.73.138.9:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

MD5 d76f5511907522ebe06e829de7b5ed52
SHA1 090abee096762c74879cc64197201011d09a6928
SHA256 248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776
SHA512 8e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 bc1e7d033a999c4fd006109c24599f4d
SHA1 b927f0fc4a4232a023312198b33272e1a6d79cec
SHA256 13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512 f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

memory/2108-38-0x0000000001420000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

MD5 7f31508d95be3fe50e4e9aa646e86a12
SHA1 c61b439d6e17d630728f48c09b36af2647940748
SHA256 994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA512 2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

MD5 8099c67a9631789db03e90d7b7bf0980
SHA1 4fbf9f44825a1184b24a0d957b20a850f3b07c42
SHA256 88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206
SHA512 c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

memory/2108-44-0x000000001B8F0000-0x000000001B996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

MD5 fdad1b564558765657cb835752b47e7c
SHA1 3c94e9acc969b66aab45eb8a60a77b27691950b2
SHA256 9b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5
SHA512 d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e

memory/2108-56-0x000000001C4C0000-0x000000001C55C000-memory.dmp

memory/2108-53-0x000000001BEF0000-0x000000001C3BE000-memory.dmp

memory/2108-63-0x000000001C620000-0x000000001C66C000-memory.dmp

memory/2108-61-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

MD5 f1ab5f5c9b58c3079d3184d263a15104
SHA1 870dfbd1219497389eaf590a16cf9011975113c7
SHA256 b20daedd6b3f51a84f7ac88e90aeac6a7f334cb8f5bdae138e10911ca47dc222
SHA512 f99410afd2298e751c6f37f5db3ada32e675bab87c6f14599bc39d0bad89d399283fa0f820bee41dedd260454d6b3749e7460b940ff66519ec8e1aee27efc15d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

MD5 e21bb4749a8b1b6fc26a7bcf57781836
SHA1 89cb0bd80d691ca650ad01551be3acefa2256ebd
SHA256 0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512 b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

MD5 a44458813e819777013eb3e644d74362
SHA1 2dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA256 47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA512 1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat

MD5 71bdd5f2a82ddb4537898c420327c080
SHA1 a6a67d3b0b8eb6a23f1da06e264c57ead3f3c579
SHA256 9b621f3f99c45ffe166a2389f3285110c4c2a189dd1ce95145778bc97c6464c1
SHA512 76f522afdf779e36bf385f4ebf3ff0567f9675d1e3fa7b5648380e0e48dbdc0ffe2005642831e58910c242715aeec85a1b0c7ab43470d145a64913d7fe3711e2

memory/2012-64-0x0000000000400000-0x0000000000582000-memory.dmp

memory/5008-65-0x0000000000400000-0x0000000000541000-memory.dmp

memory/4352-67-0x0000000000400000-0x0000000000653000-memory.dmp

memory/3252-66-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2108-72-0x0000000001420000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

MD5 f35633ae6d4ed40fce9b5b62dd575d79
SHA1 df952be90c5447bac8db8a3bb2c31d6820a9e2a0
SHA256 97b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c
SHA512 4b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952

memory/3000-191-0x000000002AA00000-0x000000002AA05000-memory.dmp

memory/2484-194-0x000000002AA00000-0x000000002AA05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 d94e00dfb41542029aaf53f329f33c7d
SHA1 010eac3cd5e1d2312930091c6c804f4c5ad58dde
SHA256 82af09d3c68b25a393879906b7197f4dbe30c3dbe1b9b2817eefddea6d96cb03
SHA512 dec4743ce68538395b4915e8fd3f932a02ee08d82ac899b278ea91c44e747076353a81a48de04ff4e4513d2b7e3764c564240319e4975dd00920f78189582639