Malware Analysis Report

2025-08-05 09:42

Sample ID 240611-bl2z4syfmn
Target 019a3cbf6e010648c95022f85d62f860.bin
SHA256 197cad7906f9104440c231c2ada1d29ee21bcd355b20ce743a241e55e229df9f
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

197cad7906f9104440c231c2ada1d29ee21bcd355b20ce743a241e55e229df9f

Threat Level: Shows suspicious behavior

The file 019a3cbf6e010648c95022f85d62f860.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:14

Reported

2024-06-11 01:17

Platform

win7-20240419-en

Max time kernel

148s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 2780 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2780 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2780 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2780 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2780 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1304 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1524 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FTSEM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3.amazonaws.com udp

Files

memory/992-2-0x0000000000240000-0x0000000000241000-memory.dmp

memory/992-84-0x0000000000460000-0x0000000000461000-memory.dmp

memory/992-89-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/992-88-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/992-87-0x0000000000490000-0x0000000000491000-memory.dmp

memory/992-86-0x0000000000480000-0x0000000000481000-memory.dmp

memory/992-85-0x0000000000470000-0x0000000000471000-memory.dmp

memory/992-83-0x0000000000450000-0x0000000000451000-memory.dmp

memory/992-82-0x0000000000430000-0x0000000000431000-memory.dmp

memory/2780-138-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2780-136-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2780-134-0x0000000000400000-0x000000000040B000-memory.dmp

memory/992-133-0x0000000002410000-0x0000000002411000-memory.dmp

memory/992-132-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2780-140-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-141-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2780-142-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2780-143-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FTSEM.bat

MD5 fc1798b7c7938454220fda837a76f354
SHA1 b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA256 7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512 d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

\Users\Admin\AppData\Roaming\config\explorer.exe

MD5 ddea40eeb762234a5acd123260f719c1
SHA1 dab0c958bc6a206a323291a7d476a2a3438384f5
SHA256 5a0a705a463472d81586e46301c02b5d42d96e1f0e3a11fa8c888e0e4ef66db8
SHA512 ec3ea86e46d144a64969b9f46fb2f8bb347467d19794dec2ed75da18b1032b647add7921eb41c7d43f63dd206f8c5a590b834831bf6508c1419858c908bd9e5c

memory/1524-314-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2780-318-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1524-330-0x0000000000400000-0x0000000000403000-memory.dmp

memory/1088-338-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:14

Reported

2024-06-11 01:17

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 3184 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe
PID 2312 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2312 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2312 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2356 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3596 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe

"C:\Users\Admin\AppData\Local\Temp\019a3cbf6e010648c95022f85d62f860.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIFNA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.110.63.41.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 s3.amazonaws.com udp
US 16.182.98.136:443 s3.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 136.98.182.16.in-addr.arpa udp
US 8.8.8.8:53 5.200.245.18.in-addr.arpa udp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 170.33.162.3.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/2312-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3184-17-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/3184-16-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/3184-14-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3184-12-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/3184-11-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3184-10-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/3184-9-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/3184-8-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2312-18-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2312-20-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3184-7-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/3184-6-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/3184-5-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/3184-4-0x0000000002190000-0x0000000002191000-memory.dmp

memory/3184-3-0x0000000002170000-0x0000000002171000-memory.dmp

memory/3184-15-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIFNA.txt

MD5 fc1798b7c7938454220fda837a76f354
SHA1 b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA256 7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512 d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

C:\Users\Admin\AppData\Roaming\config\explorer.exe

MD5 654d81db575755684c6f8b895f8faff6
SHA1 d475d21f7a6b604fff6417fb7dcc45afe7414020
SHA256 25a8a2195549dba33ae3f694a806743c1023ee49a418774b68fce5b9948b5c6d
SHA512 46185213fa9f08e6e53d1cd23f485442b3d4b9533bc76225554e0c76a0fb04c0e87b5f3d9fcb6e97234f233e6db307e351f7de728ca00cce41ea55b2c60cccf2

memory/3596-57-0x0000000000400000-0x0000000000403000-memory.dmp

memory/3596-56-0x0000000000400000-0x0000000000403000-memory.dmp

memory/3596-55-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2356-53-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3596-49-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2312-62-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2076-63-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3596-65-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2076-68-0x0000000000400000-0x0000000000404000-memory.dmp

C:\ProgramData\cxz.exe

MD5 0337b4e28ecebee0d2c844b23d9f30b9
SHA1 53e8d04322e9a3f1d1c68c5c7bc8c42630b0a92a
SHA256 b332c6f545192caa994514748e283fa16298c5e3d46ac41955615cd39898fb57
SHA512 0e6453740e050cfb8bbf74e3a9f53a2b85d2f069cbf9bfe670ea2c336da0a9875574f53bb00e99f2f2b0b73c10cc79998727124ef2219448e06dcf2a73040002

memory/2076-92-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3448-93-0x0000000000400000-0x000000000040B000-memory.dmp