Malware Analysis Report

2024-07-28 15:00

Sample ID 240613-xy3casybre
Target 0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae
SHA256 0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae

Threat Level: Known bad

The file 0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 19:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 19:16

Reported

2024-06-13 19:19

Platform

win7-20240221-en

Max time kernel

147s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Q: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\U: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Y: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\E: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\G: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\L: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\R: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\S: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\T: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\H: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\J: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\P: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\N: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\V: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\X: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\B: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\I: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\M: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\K: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\W: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Z: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\maxtrox.txt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
File created \??\c:\windows\SysWOW64\Windows 3D.scr C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File created \??\c:\windows\SysWOW64\Desktop.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wab.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\sidebar.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7z.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Defender\MSASCui.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
PID 2012 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
PID 2012 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
PID 2012 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe

"C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe"

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe

"c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe" 0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\dsap.exe

MD5 4f267a46be13b7df4e92f7746cd6a2f0
SHA1 79062782826104ec4cb9a07c1b8ed0c2b7260573
SHA256 fb391d76904d9d617eec439bfca05fd2d4bcd2592ac50c081f0c929413897267
SHA512 43ce847261cb996cf2b43574fdb9a316e8432326e671812f22fac8b8fe883c33a9ccab9e24f0b277ad1ce534eb36cca8e27e6add31751a9db8a4592826e52dc6

\??\c:\windows\SysWOW64\maxtrox.txt

MD5 24865ca220aa1936cbac0a57685217c5
SHA1 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512 c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

\??\c:\windows\SysWOW64\Windows 3D.scr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 19:16

Reported

2024-06-13 19:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\N: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\O: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\T: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\X: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\E: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\P: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Q: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\R: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\I: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\S: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\V: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\K: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\H: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\J: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\L: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\M: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\U: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\W: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Y: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\B: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened (read-only) \??\Z: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File created \??\c:\windows\SysWOW64\Desktop.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File created \??\c:\windows\SysWOW64\maxtrox.txt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
File created \??\c:\windows\SysWOW64\Windows 3D.scr C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\WatchRegister.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7z.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe N/A
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
PID 3384 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
PID 3384 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe

"C:\Users\Admin\AppData\Local\Temp\0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae.exe"

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe

"c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe" 0f3380da42bcedd0dd2d4ce2d0e30fcb435d20fbf5fa48850bdbb259b4effcae

Network

Files

C:\Users\Admin\AppData\Roaming\Microsoft\dsap.exe

MD5 4f267a46be13b7df4e92f7746cd6a2f0
SHA1 79062782826104ec4cb9a07c1b8ed0c2b7260573
SHA256 fb391d76904d9d617eec439bfca05fd2d4bcd2592ac50c081f0c929413897267
SHA512 43ce847261cb996cf2b43574fdb9a316e8432326e671812f22fac8b8fe883c33a9ccab9e24f0b277ad1ce534eb36cca8e27e6add31751a9db8a4592826e52dc6

\??\c:\windows\SysWOW64\maxtrox.txt

MD5 24865ca220aa1936cbac0a57685217c5
SHA1 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512 c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

\??\c:\windows\SysWOW64\Windows 3D.scr

MD5 4b193a30996cc8bae547316fd733ea9b
SHA1 6c503f7be003779d3ac471e326e6edbea826c3d0
SHA256 40d342322bcb9ed2325fa763db7546abd562402c05696e085c584c7edd52a76d
SHA512 5f130d71b4a8a8402f7d67d2cb23bfb0a502564d26f7b4f18905689936aa60b16aa2b06aea3019ce1b075f4d304a3d6d46d9b139404586b4b6e80a93705eb2ea