Malware Analysis Report

2024-09-11 05:56

Sample ID 240529-k8ww2shg9v
Target MDE_File_Sample_f901feefe2dd5ab8145211305d94a7e3e5389774.zip
SHA256 d0972f1f8df58954c5812e3394cf9dd94049809b9168b536c505a68a18563397
Tags
upx discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d0972f1f8df58954c5812e3394cf9dd94049809b9168b536c505a68a18563397

Threat Level: Likely malicious

The file MDE_File_Sample_f901feefe2dd5ab8145211305d94a7e3e5389774.zip was found to be: Likely malicious.

Malicious Activity Summary

upx discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

UPX packed file

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-29 09:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 09:16

Reported

2024-05-29 09:22

Platform

win7-20240221-en

Max time kernel

201s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bootsect.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1400 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1400 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1400 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1600 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1600 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1600 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1956 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2676 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 948 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 948 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2676 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1744 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1744 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2676 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2672 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2672 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2672 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2676 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "compact /u \\?\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN"

C:\Windows\SysWOW64\compact.exe

compact /u \\?\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "shutdown -r -t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2676-0-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2676-1-0x0000000000340000-0x0000000000353000-memory.dmp

memory/2676-14-0x0000000000370000-0x0000000000382000-memory.dmp

memory/2676-38-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/2676-62-0x0000000002490000-0x000000000262A000-memory.dmp

memory/2676-54-0x00000000003E0000-0x0000000000400000-memory.dmp

memory/2676-46-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2676-30-0x00000000003B0000-0x00000000003C1000-memory.dmp

memory/2676-22-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2676-9-0x0000000000360000-0x0000000000370000-memory.dmp

memory/2676-64-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2676-65-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2676-66-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2676-67-0x0000000000400000-0x0000000000623000-memory.dmp

C:\Acer.XRM-MS

MD5 f25832af6a684360950dbb15589de34a
SHA1 17ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512 e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

\??\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN

MD5 c720309d465b5d80c41ab96da9625922
SHA1 bee85436de4292d415e40c900e8216b07d59264b
SHA256 0c0b54dba811504b6b18e3c2164acf001b40801f0b8a6f357ac119c94bbd8829
SHA512 c224e872a7cc056e89865407bc94db040b80af8bb17dbb5b4c723ca51f30beb17bc4f97a658be65e1cdc4d4fc581fa49b6e79feebd981c15acba4b8d7c5b931b

C:\bootsect.exe

MD5 fe2479b482c0dcd5c432ad8da69e9214
SHA1 83549515da272e2318e0e518d1108dc90cd0b3fb
SHA256 ea86855bb1a7c8155e69322362ce98f1953988b0d9693b86b5eb55409c1a99af
SHA512 d6166a00779d14d32673a36f437685178e1578fe3f902ff734979ca2a987a8b10ede472a8117300cf9fc94609920a158f1b49d60fd89f9872844c86b1fb3ec13

memory/2676-97-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 09:16

Reported

2024-05-29 09:30

Platform

win10v2004-20240508-en

Max time kernel

591s

Max time network

488s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/944-0-0x0000000000400000-0x0000000000623000-memory.dmp

memory/944-1-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/944-22-0x00000000026F0000-0x000000000288A000-memory.dmp

memory/944-14-0x00000000024D0000-0x00000000024E2000-memory.dmp

memory/944-31-0x0000000002F30000-0x0000000002F41000-memory.dmp

memory/944-23-0x0000000010000000-0x0000000010021000-memory.dmp

memory/944-55-0x0000000002F70000-0x0000000002F90000-memory.dmp

memory/944-47-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/944-40-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/944-9-0x0000000002460000-0x0000000002470000-memory.dmp

memory/944-63-0x0000000000400000-0x0000000000623000-memory.dmp