Analysis Overview
SHA256
fbf6fd605eac3c46e6432eddb2cccf93b15339e57e79f389f976d465bc7676ae
Threat Level: Likely malicious
The file Product.rar was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
UPX packed file
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-17 01:18
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:20
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\A6J2824DG.exe
"C:\Users\Admin\AppData\Local\Temp\A6J2824DG.exe"
Network
Files
memory/1800-0-0x000000013FFE0000-0x0000000140A0F000-memory.dmp
memory/1800-1-0x000000013FFE0000-0x0000000140A0F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:20
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\A6J2824DG.exe
"C:\Users\Admin\AppData\Local\Temp\A6J2824DG.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4360-0-0x00007FF6F20B0000-0x00007FF6F2ADF000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:20
Platform
win7-20240508-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240617011826.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe" /TI
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240617011826.log C:\Windows\Logs\CBS\CbsPersist_20240617011826.cab
Network
Files
memory/2548-0-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2548-22-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2612-41-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\lkjvrxit.tmp
| MD5 | 83a150055998174d5c89b2e9986df7f2 |
| SHA1 | e0ac99307939ee444db125961c44293805cb979e |
| SHA256 | 3473b86565efb6e0126b0da8366ddd7b6447ef0a30dbe0676672485f38cf485b |
| SHA512 | fb163df3046affdca1695312be1f05062dec68e93be55e39d4112f03cfdea401ea72e204ad0a69557f4e070498e911b44daf3525220af8e0a0bb5049024345ee |
memory/2612-45-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\aut1084.tmp
| MD5 | 93e42daecb6275f7fc49a8f5b12a7edf |
| SHA1 | 0b4b037fcd2997249197bafb53cfa3489321c320 |
| SHA256 | 3dcc465363e157b36198a5f8649f57b0f5fa950287ea4959903e637a0cd8a79a |
| SHA512 | cde18c402ae8253ab1024f55ede24877198f6cec8016e5fdcb4dea09406f2d8db97e8065a9db1a97d5eab67c5b2dde296be109d415d37838c5cf2f066351f534 |
C:\Windows\Temp\aut1095.tmp
| MD5 | 7a8207b501b20a0ef6b7f631b40e3bdf |
| SHA1 | b36194c3346ad5ab0e6683ae9676d15bf47c8915 |
| SHA256 | eac3ceafe46b52057b7f370e7290dd0905c50c2ce772b76e3fab3886fc6b3dd1 |
| SHA512 | 11a92c47b2f1943f73ea48547a04c52e441ffc51cc61f2d8a6306d51e6daf08b5aaa23ddf11358056ed5971984344bb4bbbf6670acebc9103091972719429200 |
C:\Windows\Temp\aut1096.tmp
| MD5 | a0ab548853aafd090db3c6aae10f6b5e |
| SHA1 | f3d5a95d4fcc8f496d88c35522d2ca2285f5ff4a |
| SHA256 | 8faf739b926d56fb5125041c8bee45289c86127a10dfb68fb9df8d58360c3542 |
| SHA512 | 9bbfc18283039191336752112fc638c7dae1f6a2f33f6c79bdd807e33c266abd4e92b90506ffea6286376a3571829309f8969af837bf0619fba863ba57c53753 |
memory/2500-46-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.ini
| MD5 | 59b35cd913ed1888c71616c541c150cb |
| SHA1 | c709835c96c69e42ab9d592c6e447bf4d6688783 |
| SHA256 | 18a6c46004844e40b692a8454d66a8f7615927b15be432c0de21ad622d0c7abc |
| SHA512 | cd4e068c3d6bc9abdd2f77176fc47bc986bcb67e3d82b17ea60f82403995e75fb6a9da0d2e2f1eac81017189ffb92fd0f8ab49e71b6dee34b9cb6a777835196b |
memory/2500-96-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-108-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-109-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-110-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-111-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-112-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-113-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-114-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-115-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-116-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-117-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-118-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-119-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2500-120-0x0000000000400000-0x00000000004CD000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:21
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
54s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe"
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe
"C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.exe" /TI
Network
Files
memory/232-0-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/4512-21-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/232-23-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\oetgjpsq.tmp
| MD5 | 83a150055998174d5c89b2e9986df7f2 |
| SHA1 | e0ac99307939ee444db125961c44293805cb979e |
| SHA256 | 3473b86565efb6e0126b0da8366ddd7b6447ef0a30dbe0676672485f38cf485b |
| SHA512 | fb163df3046affdca1695312be1f05062dec68e93be55e39d4112f03cfdea401ea72e204ad0a69557f4e070498e911b44daf3525220af8e0a0bb5049024345ee |
memory/4512-44-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\aut54B9.tmp
| MD5 | a0ab548853aafd090db3c6aae10f6b5e |
| SHA1 | f3d5a95d4fcc8f496d88c35522d2ca2285f5ff4a |
| SHA256 | 8faf739b926d56fb5125041c8bee45289c86127a10dfb68fb9df8d58360c3542 |
| SHA512 | 9bbfc18283039191336752112fc638c7dae1f6a2f33f6c79bdd807e33c266abd4e92b90506ffea6286376a3571829309f8969af837bf0619fba863ba57c53753 |
C:\Windows\Temp\aut54B8.tmp
| MD5 | 7a8207b501b20a0ef6b7f631b40e3bdf |
| SHA1 | b36194c3346ad5ab0e6683ae9676d15bf47c8915 |
| SHA256 | eac3ceafe46b52057b7f370e7290dd0905c50c2ce772b76e3fab3886fc6b3dd1 |
| SHA512 | 11a92c47b2f1943f73ea48547a04c52e441ffc51cc61f2d8a6306d51e6daf08b5aaa23ddf11358056ed5971984344bb4bbbf6670acebc9103091972719429200 |
C:\Windows\Temp\aut54B7.tmp
| MD5 | 93e42daecb6275f7fc49a8f5b12a7edf |
| SHA1 | 0b4b037fcd2997249197bafb53cfa3489321c320 |
| SHA256 | 3dcc465363e157b36198a5f8649f57b0f5fa950287ea4959903e637a0cd8a79a |
| SHA512 | cde18c402ae8253ab1024f55ede24877198f6cec8016e5fdcb4dea09406f2d8db97e8065a9db1a97d5eab67c5b2dde296be109d415d37838c5cf2f066351f534 |
C:\Users\Admin\AppData\Local\Temp\Product\Disable defender\dfControl.ini
| MD5 | fff235c1d05bd5bd91d2a65f17191aa7 |
| SHA1 | 9dc2e1f91fc143277f23711034a80134df94c075 |
| SHA256 | 48b2eda4d139dc679f11cd56417cc9e14770cdd7db460868d70c3f1692192000 |
| SHA512 | 65e86ff436b165952bff2aec5c2d17e895c458a0ca05e9010bc2c9cff6f001fa95bb9cefe2ea2a525a404f8b9841ae8176f70dc012416da2d729c86342431ee1 |
memory/2884-94-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-95-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-96-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-97-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-98-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-99-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-100-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-101-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-102-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-103-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-104-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-105-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-106-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2884-107-0x0000000000400000-0x00000000004CD000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:21
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe
"C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe"
Network
Files
memory/2444-0-0x000000013FDB0000-0x000000014064B000-memory.dmp
memory/2444-1-0x0000000077730000-0x0000000077732000-memory.dmp
memory/2444-3-0x000000013FDB0000-0x000000014064B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-17 01:18
Reported
2024-06-17 01:21
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe
"C:\Users\Admin\AppData\Local\Temp\Product\win11 fix.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
memory/3304-0-0x00007FF6BB8F0000-0x00007FF6BC18B000-memory.dmp
memory/3304-1-0x00007FF6BB8F0000-0x00007FF6BC18B000-memory.dmp