Malware Analysis Report

2024-10-10 12:12

Sample ID 240613-sknvjayanq
Target a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118
SHA256 9fac22e098a25975b035b01c42f1412d4daa60ffe0cffc51b71c2c8d65bec9a6
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9fac22e098a25975b035b01c42f1412d4daa60ffe0cffc51b71c2c8d65bec9a6

Threat Level: Shows suspicious behavior

The file a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Loads dropped DLL

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:11

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win7-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Users\Admin\AppData\Local\Temp\keygen.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 1c662492180514144db462edca9f9d20
SHA1 aa0c2cc7365c514ab75f5be46b0e73f07417c87d
SHA256 dffb8c5f3b46e41e1a1815f12b8df5f10b05ff71b94bc7d243cab33d13eaa625
SHA512 3a049cf4c9cadc7af1b4c1443c5f05f878a77ee07a9292faa9c49763ebfcb528370c35b97b7062ab3eb02d49a2df8a23f16a868230d36bcf6308183a663d411e

C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL

MD5 e4ec57e8508c5c4040383ebe6d367928
SHA1 b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA256 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA512 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

memory/2420-15-0x0000000010000000-0x0000000010013000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\R2RJUCE.dll

MD5 c4b4991d621f406e49d86757ee01dd40
SHA1 0570fb52e33f2434373ad74851c5811e8fb158d5
SHA256 7142f93fa14137d57971611435c0faac9a1eb9e2b628df26242eeb095558c968
SHA512 b38baa568ea77e77ff34c894f892bc868b321f6a7c481091c7d48e986fe078482b0ecf6123066bbe2f4d6d60aeb4e4c498cb2add2dd60dd876200b18d80b69f8

memory/2420-17-0x0000000074510000-0x0000000074556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bgm.xm

MD5 539e356c53b64aeb65475f21711729c2
SHA1 5a1b659f39206162e1c542f44d1e51ce48e7d846
SHA256 34fe3a4db959f96a80835552ecf0c505fa3f5d694512342dcd59903fa830520c
SHA512 d207663d81d8a1f51a365c0b76fcc3a4f668ef51f475723972dc55c8a651c7d72039db29ab6c8465e7fa9a142c8d99aa79ddaf73d89d242726124461743eda99

memory/2420-19-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-20-0x0000000074510000-0x0000000074556000-memory.dmp

memory/2420-21-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-23-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-25-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-26-0x0000000074510000-0x0000000074556000-memory.dmp

memory/2420-27-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-29-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-31-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-33-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-35-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-37-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-39-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-40-0x0000000074510000-0x0000000074556000-memory.dmp

memory/2420-41-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-43-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-45-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2420-47-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win7-20240508-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Network

N/A

Files

memory/2456-0-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2456-1-0x0000000010012000-0x0000000010013000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 193.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1140-0-0x0000000075470000-0x00000000754B6000-memory.dmp

memory/1140-1-0x0000000075470000-0x00000000754B6000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win7-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Network

N/A

Files

memory/2108-1-0x00000000745E0000-0x0000000074626000-memory.dmp

memory/2108-0-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-2-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-3-0x00000000745E0000-0x0000000074626000-memory.dmp

memory/2108-4-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-6-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-8-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-9-0x00000000745E0000-0x0000000074626000-memory.dmp

memory/2108-10-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-12-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-14-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-18-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-20-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-22-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-23-0x00000000745E0000-0x0000000074626000-memory.dmp

memory/2108-24-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-26-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-28-0x0000000010000000-0x0000000010013000-memory.dmp

memory/2108-30-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6306c79f2996f893dec6bc8fa94eb84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Users\Admin\AppData\Local\Temp\keygen.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x520 0x40c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\keygen.exe

MD5 1c662492180514144db462edca9f9d20
SHA1 aa0c2cc7365c514ab75f5be46b0e73f07417c87d
SHA256 dffb8c5f3b46e41e1a1815f12b8df5f10b05ff71b94bc7d243cab33d13eaa625
SHA512 3a049cf4c9cadc7af1b4c1443c5f05f878a77ee07a9292faa9c49763ebfcb528370c35b97b7062ab3eb02d49a2df8a23f16a868230d36bcf6308183a663d411e

C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL

MD5 e4ec57e8508c5c4040383ebe6d367928
SHA1 b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA256 8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA512 77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

C:\Users\Admin\AppData\Local\Temp\R2RJUCE.dll

MD5 c4b4991d621f406e49d86757ee01dd40
SHA1 0570fb52e33f2434373ad74851c5811e8fb158d5
SHA256 7142f93fa14137d57971611435c0faac9a1eb9e2b628df26242eeb095558c968
SHA512 b38baa568ea77e77ff34c894f892bc868b321f6a7c481091c7d48e986fe078482b0ecf6123066bbe2f4d6d60aeb4e4c498cb2add2dd60dd876200b18d80b69f8

memory/4004-11-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-12-0x0000000074E50000-0x0000000074E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bgm.xm

MD5 539e356c53b64aeb65475f21711729c2
SHA1 5a1b659f39206162e1c542f44d1e51ce48e7d846
SHA256 34fe3a4db959f96a80835552ecf0c505fa3f5d694512342dcd59903fa830520c
SHA512 d207663d81d8a1f51a365c0b76fcc3a4f668ef51f475723972dc55c8a651c7d72039db29ab6c8465e7fa9a142c8d99aa79ddaf73d89d242726124461743eda99

memory/4004-14-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-15-0x0000000074E50000-0x0000000074E96000-memory.dmp

memory/4004-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-17-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-19-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-20-0x0000000074E50000-0x0000000074E96000-memory.dmp

memory/4004-21-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-23-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-25-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-27-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-29-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-31-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-33-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-35-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-37-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-39-0x0000000010000000-0x0000000010013000-memory.dmp

memory/4004-41-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 2484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\BASSMOD.dll,#1

Network

Files

memory/2484-0-0x0000000010000000-0x0000000010013000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\R2RJUCE.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 15:11

Reported

2024-06-13 15:13

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\keygen.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f0 0x340

Network

Files

memory/984-0-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-1-0x0000000074DF0000-0x0000000074E36000-memory.dmp

memory/984-3-0x0000000074DF0000-0x0000000074E36000-memory.dmp

memory/984-2-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-4-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-7-0x0000000074DF0000-0x0000000074E36000-memory.dmp

memory/984-6-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-8-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-10-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-12-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-14-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-16-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-18-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-20-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-22-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-24-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-26-0x0000000010000000-0x0000000010013000-memory.dmp

memory/984-29-0x0000000074DF0000-0x0000000074E36000-memory.dmp

memory/984-28-0x0000000010000000-0x0000000010013000-memory.dmp