Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-zkltha1bqq
Target asdasdad.exe
SHA256 ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Tags
xworm execution rat trojan bootkit evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa

Threat Level: Known bad

The file asdasdad.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan bootkit evasion persistence

Suspicious use of NtCreateProcessExOtherParentProcess

Xworm

Xworm family

UAC bypass

Detect Xworm Payload

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Drops startup file

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Checks whether UAC is enabled

Looks up external IP address via web service

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

System policy modification

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:46

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:46

Reported

2024-06-20 20:49

Platform

win7-20240611-en

Max time kernel

120s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425078306" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000008eac9383e8cd3acb729d62381e9e11155a04382358ee6d4472bd94ab66403198000000000e80000000020000200000006131a80cbb0bb77186d38d20534ff292fbf277b422a24b1c7995f1441e78355f900000006d73c017999ea02beaaa366e79c7aea9f20a73be588925d5bb81488c40ec5fbb15ae274634e66d2fa4b8aa8e50526cfc502c6d18559ce152547b7e430afd20a0dfffe187336509efa4558e38f40c8016d41b4d9fc822bdd33fcf2497e4fc0186abc7c07f9a7b7550d3d61827257fb82b2824b58fdc08be2e24a9e61e09dbc653d71ec7381fb7339f2620ba413317dfea40000000cb9beb0f8e7eee92588d78aab75dbfac6703db2ea9bbcd25be633a02e5db4e3aaf728cfff8683e0f07a753226f0885f1adb2cf7a91372daf57522ac8a991c1d7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{486C8371-2F46-11EF-AF9B-7E1039193522} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0097a1d53c3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000001c7b3775ee8c1a92f03d5e7f2eacea195c1b9167f57329978073edd54c6fcaf8000000000e8000000002000020000000c182262dfa148a20bf200b412f8cfc1c15d28f5c472f5622546bc05a6bf7c391200000009037dae6693b918c3891bee8fd15c3cf845a0b41d84cf956cc3a0ffe13b160ca4000000013dd1460b793f674d2b83695bc5ccb4abece8fea069fc2ac4b2615855637971588bab42a6998e6859aa2cb62967ca7012a09164305ab7bf1daa83a87badea08d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1044 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1924 wrote to memory of 1536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 1536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 1536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1924 wrote to memory of 1536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\dlglnm.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1044-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

memory/1044-1-0x0000000000EF0000-0x0000000000F08000-memory.dmp

memory/1044-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/2548-7-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

memory/2548-8-0x0000000002270000-0x0000000002278000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9ccd7ea2cca7f32d3e4a8fd9f6c0a2de
SHA1 ebfe57b0badf539ea7cbd58366847108c98ca3ec
SHA256 ff93aeaab3602898b774f1263028a4f10f56a13cf97da16252ccf483168db078
SHA512 70d32b3e406413588a569089bd6252f9f12b1f297c4d3bf689f6773936c48e9199560b5738ba968fd8ab3939637ec30e3eec7bdf1c16a535da3aedfb74fd6209

memory/2764-14-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2764-15-0x0000000002490000-0x0000000002498000-memory.dmp

memory/1044-25-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

memory/1044-26-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dlglnm.gif

MD5 91a20b42b9687c3cef5bf7d6e1c274e9
SHA1 18d0be1d061397025072855311991657c30c9698
SHA256 65a4a1204339f89235a099c33907a39d5524f99995554fc901fd5d274b0a00b7
SHA512 532f77b08d0f5e6f1e3b965f712ec616fd3070428fee433f1d0ba3f451818bd5eae94ae46e4f80f938b3c8651e34d459d988325d99138130d0f752565d670e0c

C:\Users\Admin\AppData\Local\Temp\CabEE67.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEF06.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a43a0f38b25f0783deeaa6947005748
SHA1 adf6c726437ca17f657b9d068b8b1ac64ab9aae4
SHA256 26537e3d0a34d97d0dbeb5f01f233d320199ed0ea67de08292214cc169c02685
SHA512 992ada5e24738903a2e016c7b60b322009c85a866706ad79ba3f8abab54038d637b2234284cfb3dec2b49b20b048235f445083e335d2b5304d015dc91e8ff6b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8c9f91cba81d21298e004ccd172300b
SHA1 1c1e49ea67d240f8c432d7f9004cb276d4ee7c8a
SHA256 358162fb8ca50679ebc559ccdc77e42f349a8491c837c3cc7ec94db7cdd88b28
SHA512 024d6d147380f5461e25554b05f9abc3c69dfc200175c6790618be59fbebf23fdc9e846054cb50a50ef9671f2b78c9d04ee586b7c80507a5c28b0624d0ccdf66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46d0bb3fdca047dffa53522144a1be76
SHA1 24aa716ea5c3b37f6939ec8ab7ef9b3606c325c5
SHA256 46d43726b85d0174e1e40f985b22e355c795cc72745d8826968ef3777c5afeac
SHA512 3f561230dd23f5fee800a2fb12f7b1b6bd9ffc316d16adbca09b8a8efe68904ad5eade91b38097bb1f88f0f1842ab7f80d22568a569add0801d9956a21cc4f5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27c9cd91c1e3358c931899d082839cbe
SHA1 65c20d7a4957c646935a5ae4f592084c5cbb186d
SHA256 66417b02497f2b9fe0977d44ab08e013a590e6445d9602fdc57623e5735019e0
SHA512 5fe00fb68934efa7d2c6f217df32d68e4e8c4e22bb6024a6a21944b64598a6b0d2017dcfbaa49f4b7c49765213eb3cb43ab2c73dea65d2f225b536f91e549ed6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 705b8b9bdb119b860d775a13f58b2ead
SHA1 3e7d5cf11b96715cc2a5e98bd4f0da06ceb51e93
SHA256 b8e00e6feef5e68f17a28a2a7b6b2424a053bd9f818a53cf843fee5dadca3896
SHA512 67f6abce688366e16679167d9307608f139eb5df85cae02e07af7be03989d357df441acfaff2ca006b16aa4ae5719b0e6207f482aab6b931dae9338391d81d48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bfa272f06db98bd2d0d20f0434e89d6
SHA1 403ba0496533253a7424cb37dd15cd918b62fb62
SHA256 dea2f5f371888d2ad0590261ccc5685f56d88366c647ce88c45f5867486089b7
SHA512 fca6bf68500098e1904680a6a0587a0b772e052990f74450e0fdac269388d985c07a56eb53892f5c8418e47e575edb7ff3401e1096b187c1209659e10056ec8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96ce98118d30fb02b0575259808537b9
SHA1 3654e6cd3dcffd4c529410ed2d6e39fb3c99b34e
SHA256 9d8413479d7a7ee60bd96e75105e8365edd074a2daea3aa43fe71d0b2eca525b
SHA512 37b54fc2d2d5fc2c38379ab858e20b2a22e3d5f157f3460d7a69e3b299332983c135c731a8ca564a239a7b13de625139b47547120e2a42d68ac37d5ef4106f8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94741771dfa05dc3d8290ae4de132f8c
SHA1 437caed1ba2f4562f4740d9ea18ae68f45507362
SHA256 23504676d7ddb89b645729193cddcaac435c8e00bd97200203cfbe2523fe6caa
SHA512 e328d07eee585af62463132bc414916a6138df963a38d153a0b8373910f61703d7c084c9ccc27bd5b923a3ede465a7f904a946048e9974de419e6411388e9277

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93240d76a7e63e288768dfbff92d3f5a
SHA1 775a465248efdcaeea3ba4e19a3530e662cb975b
SHA256 e614e992be10d4ae408cfd797855bb19c5415e4f4a13ed19a1497e67da5f8862
SHA512 1018522ad884fb5ecc887ee45d69782f3e1fdfb2f39b15a02c25bfc0dacaedec47ebdd9dc7ae512abe47340b9e570f89fbfed33c92c4382ceea815fe5ecd7e68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e59a12f37711430cd403ea9994b23461
SHA1 a660e43efe79c0440c014054c52b1fbe01a780bd
SHA256 270c7e62d20b1162d67aabdc2b30f20242d6c67ede893e6fd9bbcafa21abc7d8
SHA512 9ac197048d1c3c42595a34b12390504f26505e6db8d316af6e833d79ec6812fe9c8e9fd617b048fd9ee3ec93c96aa0b6c2bece6e1fa54c2ff4e7102137c85ed7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 918e837da956f762d583b55b896dc1ab
SHA1 9170008f6569048ad608769d04707165a79aac9f
SHA256 bb01075afc9c6ad2d91956bf4aa831cb02cae6f182e806e698de1d29e7af4e76
SHA512 db6217dba61b00e5354db27ba7c3ea088aecab581384b59af33a864ff97dd9359f55c5e79fe8292d37bac8c07b2677aebf4f855e43b955c4cbc3862200a0218e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ee21a01f6f4f8768e00325465c1854f
SHA1 74da68e3a71f73c0a187a6352767e2967c789de4
SHA256 3bb531aa9c6acb976926d98d00f939a0720e5dd71b87671ab4b4bbe12f8af99e
SHA512 38e1b6d970105ea5ee1f8159001e95518152774789014d2d0b33d9b71f2a4920b351dd0850ceb55b96115511bf508ecd10f1d77f85f51b12ea23bdbc36ebbc1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dbfedd3f2d5afa5eaa2106376d064ff
SHA1 2c2e84cbf4b4107d9a5e7718b8c4d25374d04e5b
SHA256 36ccbd9d9474946294e0cbe2bc143132425d659848d4914a27e7f870db6718c1
SHA512 b13ad3c05db9e90d31511e621d369462fa1f5ec7425a5fc0d002463571635dc5210d2a6dc3eb87ec045b366818192f97fa3d211464c19b7978d8bc4b930afaf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f89e7a5676b4b775defda57d688622fb
SHA1 1f2090c9de730e431ebfc6e7b004ae5a9f83a252
SHA256 ba2edd013a2f5ea5d4c178410116d61e3fc90d7c0dd0c0425b3d5636d71a61c4
SHA512 a8da46e9e9574159c804f1f0c11056cb5f29e106e6e9518841a252fdeef2ff4aa9d4d15ac30969d32e4906633c9ba4de2d5f110e035fd5dc9a6bf572b9bdc227

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c28112b50b770751755ae6ca952472e
SHA1 c59b8dde45afcafc7f4c809198ed5161cfc7da18
SHA256 b4f3fe9c3c59cafa6741e6637fdad4efb8d06d663a762cb96306ac161262c2e7
SHA512 ce4f960f7940cfcc923e7fef3f8e9700f555652740771766723962258f77387e6dd3f1961835da5687ee1961241786316ccd10a981098cd1366120fe93cf9d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b21ddda65657a6cce618800015149b3
SHA1 056f5ce7cc21af300bf35999c6a1362e768276ae
SHA256 0bdef178069875ee42137523c569fbb0f67791c31b393ae9f2db00321515baae
SHA512 02aa8463834c970c8eaac56e518d6dd2a31c044241ec6d3638a39dafbbf4d9628e9aba0c4e1de9a38e147cc3a099584d4c9e6060cec59b8f4927442b0e304e5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 469c7bb4235d07cf7b86ed747409822d
SHA1 ffeffe5b201fe30d65e952dd5f380a4ac4067c31
SHA256 8f4cfceae7d27390a8967d3f81e92f8006e66f2d7540ada7a73d201d593cf5d0
SHA512 e1d249a556c9394ef7bbce142af37d1b818322db109963519e5bf578851695b06419d841aa6c5ff02efa5cd58603eed43a997c1a3850b49a7b7bf563a39471ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae1119e3e1471d4544f91700f2631a5b
SHA1 eecfea1403c061fd04aab183f8a582f006ba5d3a
SHA256 65d05c5e319b600358991097fbcb8c14ff39211e636d387026cfb342ab98f963
SHA512 ee2d4f526976a05351eceab82baf9d589756bad2199b762c9d2ac8da10e71034234af5ac1ee63bccd768ccbaec157af7cc6d88a0f61d8913c35f1e3b13912b0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef3dda339c186441ab431659ca9b129
SHA1 4188d4204c51d85106120f581b656755c308518e
SHA256 d8d88d4204f6172e0cf2e1a49fa1bc5a0fb497643e4952d1336c4c635c8763a0
SHA512 e9a1570ca5aa8b47b4acdb91fab9e0b1fa8c76d09edde724151c145e8e871d3c857c26de7825c2636a6a3af1b00a8b9cab13cef12ab8427e9e0a73946ff28286

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbec3e7c2278a96ed93d509b986de252
SHA1 46fdab705c3ced9f82030b3436a0e4944b5f2d42
SHA256 05d378ef9c2016149989bd8f08f4d2114233598d3cc7d4ab3b982fdf0934b70d
SHA512 db8a77f4cf1c3b4bf6a5bdd03397317fadcfba0cfd30dc5a80d6fa0bcac520ef2fb925bcbbe395c012ef73d9dc8e3857042c1f60ba4a9da567cb8fe1def7d14d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7bae5a706a8c8997a8426d7a99165ba
SHA1 b52f23627573958a05bb05350cca5bf821fdaa41
SHA256 8fe9303239671124bb29df8379ff7f70fb0a7e184b69b2f36033edac905bc8dd
SHA512 02825534f78446fed0eceef4bc30567bd373a9479581646c4582066417989a07d1f4045732a5abd45285b30210c15f0bab8ed01d3f7c151cba83c714934dcb61

C:\Users\Admin\AppData\Local\Temp\~DF13AEDF00560F9672.TMP

MD5 32b9f840a263d2a0fb0abdfcdd4f737e
SHA1 83044eb3181975214ebb0da102e9f89506542d87
SHA256 16a7496e3ff4e79259f3f43737355293e87a746dc6338fe9ab8f82667e78058f
SHA512 050778485f57d17b274f8bd05b87f59127dc32766211ef17b0f154423579aa6403cdae1939474359c21536a4cf0430c4b5855d519cf40a672cecb069164f78c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:46

Reported

2024-06-20 20:49

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 1756 created 3496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1756 created 3496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Xworm

trojan rat xworm

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
File opened for modification C:\Windows\xina.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{509918B3-2F46-11EF-B9F7-4AFB17CC47EB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{509918B5-2F46-11EF-B9F7-4AFB17CC47EB}.dat = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{2134CE88-5C08-4823-BF7B-7AB24480BAE7} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 868 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1756 wrote to memory of 3496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1756 wrote to memory of 3496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1756 wrote to memory of 3496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 868 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe
PID 868 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe
PID 4992 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe
PID 4992 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe
PID 4992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\explorer.exe
PID 4992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\explorer.exe
PID 4992 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe
PID 4992 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe
PID 4992 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe
PID 4992 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe C:\Windows\System32\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\gxtecp.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\2d3e6350407b414c8da9b939fa754623 /t 4684 /p 3496

C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe

"C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4d4 0x4ec

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\695e62b83f12486b82c3c215ed11f83c /t 2144 /p 4992

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/868-0-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp

memory/868-1-0x0000000000710000-0x0000000000728000-memory.dmp

memory/868-2-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4plkuvw5.ecj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3708-11-0x0000022804F50000-0x0000022804F72000-memory.dmp

memory/3708-13-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

memory/3708-14-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

memory/3708-15-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

memory/3708-16-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

memory/3708-17-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

memory/3708-20-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5663972c1caaba7088048911c758bf3
SHA1 3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA256 9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512 ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

memory/868-48-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp

memory/868-49-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gxtecp.gif

MD5 91a20b42b9687c3cef5bf7d6e1c274e9
SHA1 18d0be1d061397025072855311991657c30c9698
SHA256 65a4a1204339f89235a099c33907a39d5524f99995554fc901fd5d274b0a00b7
SHA512 532f77b08d0f5e6f1e3b965f712ec616fd3070428fee433f1d0ba3f451818bd5eae94ae46e4f80f938b3c8651e34d459d988325d99138130d0f752565d670e0c

C:\Users\Admin\AppData\Local\Temp\mwxvkb.exe

MD5 80c506da3df5e4580c06c48162bccbea
SHA1 43fbccf50f91cd8e1190869b0edc96d920519c14
SHA256 5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb
SHA512 f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5

memory/4992-74-0x0000000000470000-0x0000000001834000-memory.dmp

C:\startup.exe

MD5 12b162b0c010fcc23fa43b03cbb76509
SHA1 a696c6b6d5c0216b3eddf8dd4eb2a269abe19d00
SHA256 6be68911f16ec9283da61ce222d946c9e8e5ea39d71ad9d23216b4961947d180
SHA512 f983d2a19c18574cd09c1be30f44a6c8b586bfc74341367f6dfab26a6c7440f73e7ba252e66d1ed5fa6af5a78dd3f69de3909a369fe08ad78ca1e539eaa036c4

C:\backg.jpg

MD5 aa8212e3f48d35711f219cd9bf1265ab
SHA1 a3b17cc5311f23cc2db204f5b7081cd7d170094d
SHA256 ddc65eb885e5f89406a0b9ec5d23b0bf041ef9c15b689ddf6b855c9a62132200
SHA512 1d15ea1e09dae7d5c2b507f26dff3c052888deb7e5f8d17f5baac1c76a15cc2b0f11b470d855213ba17c03b32856e921b36c8acc6a32e9ff1ab9c04dc4ccf261

C:\sussybaka.wav

MD5 8853da13437c21bd8c8b131dacd73d4f
SHA1 844f143af3aab36ce1cee355eb7e7c5a4ba67f4a
SHA256 7616c3dc3ef9a7a6d08a54a5e955b33f001647f0821c29b92b022c044226e480
SHA512 31a3989fddbffbb8e6979bf3e855eb13ba97146cc1cee4ab6f939cf002e0a2e698a12383f0f2a8d3d6aab437da9bac7e641189565a7ced1d2c5ae1a8f149cf30

C:\rock.wav

MD5 2483ba5ed0b989e311c585760c624055
SHA1 e4a793b783beb97a94d04c2e2795f02aced64d14
SHA256 651ab26c519b7a0ac97e0adc3c452efbc9233f695f5ae0bb70d42d5b3e37cac5
SHA512 a37554d540383958614fbd898dd7435476480b4c7aa83b9191f626567c1835f338ec35c4799fa544d9cc0bc2aa7b2139ec929f26bffb4fc0424c10c09b8a72b1

C:\bass_imposta_sound.wav

MD5 f6d67bd69fe398b2c5238fa4c9d6455a
SHA1 a8c7dfb2cd54dd46f2eb1e2fe6a19bdf40c47e44
SHA256 3ad823c535650fcba2de953fb2ce6fc46afeb04e529494e6b60b788cb28ddc32
SHA512 63e0e262338850ffe35929af320d17eb850efa046f860ca4fdb93518dbeeb2fe9ab3d4d13305c6d1f5c9fe78b42615ac0794d160b66fad5e3a30309dfed117e8

C:\omg.wav

MD5 4f0ad7516cd72bc8e78452edbfb7675b
SHA1 fdaf974becd0d3d66eb580df0e4beaf048ef22b4
SHA256 654700adddf4f3b7f18f08d3d7ba2df035a026fd38b86f700b950d4ce4cc0cfe
SHA512 d973a212cb46199bfbb938edd724e187f52d273eb92f0f32390f6b8c269886d55a2009545a3b46d456eb8a42f1c76e4956bfde803898d053e2164aa58a92f584

C:\scream.wav

MD5 2d714bed0f2a11e2daba10305c667e93
SHA1 20af1afd4f3283cd142904a285b6471b119f8079
SHA256 a65f7847e0c4ec164b204cb5abb90a4b58cacc4c957f0749b52c7130094b860d
SHA512 da26fb5aba9377c746993daf6ffbe3df60db4ce0992058b7d70a1a26398f9014a7c111775e1acfe26526500a90daaacf805dda3b8a7cce87c36b60f641fd0119

C:\amogus.wav

MD5 c30df0f1ba8d92eccb020946a107c7fe
SHA1 fe95d0b0246a4ecc25fc89ee7102647e12c1dcb5
SHA256 3d6d12cadb2ef6fe5b2a03d15964512bc32895e338c2da25ae2cb07bcb31deae
SHA512 624aebee4d918c8eed1716d17829a36104eb5aeb2d23be021e61f9d8e59a6aeb7215c14365ac081fa2f820e561aa108be25640d1634983dff7ca8ebd4dbd6a45

C:\ben_icon.ico

MD5 35ed09899d21d2f9806e5c4eb1411324
SHA1 5afa7972868a84f4e49d65f149aa09dda07870d2
SHA256 66775b29fdbd36e7ea15b038224a12271fe84b0e1129b11dec008af1dec986b3
SHA512 625d060ab49f371a9416315f85f6c01874cc19bfd5a4fb9b0a84287f1af0411695623e4176e62afa6623b16339b4c603f6a2179fe00ef505fdcd97e2b36cf820

C:\dad_icon.ico

MD5 8883262af502c220932bbc50979391ca
SHA1 0be9ff95e86e798493f5f067a6dd3ddec9ed6832
SHA256 f500586d27d938ebfc965c59cdc42e361b78bc41246d52a075bc278271c96fc6
SHA512 ca78bd4cbf199ac1ec91058e48f357b3dae908a5bc06eba132ad9e143d5791d11e04462a96bf836999dd412ff0d9f37d06243c8b944f84ec354a3fb223b1d076

C:\ustupid_icon.ico

MD5 6e3e6e1a0f01c0168c7b1fcb4e63a89d
SHA1 785688b7caa8f28583e417a651517b721405d835
SHA256 b856abc28d3d026fbe327376bbd72f7a169012bc987d59dc9fe600e9714ff634
SHA512 d2038420bb997ff0d97561ff8b167822de36fa1f924962abed0f29b3c8b2ef7bf9a9f52311738d498b894cfd7d488ee0a1741150e45782e555028483bb1ecc99

C:\skream_icon.ico

MD5 21a8888b16b257c094fd38d09612fc48
SHA1 9ce7e89da63c663987c9624a845144a4fecc3e72
SHA256 e1e71925f5169df514d0c196f41fe91ae1419426ed28422aea78ab85b4dafbc4
SHA512 cc554f7180b8f79de7ee6278b19fe8a4331ab9caa5cd980caf66eeed973a3577b56dfb57e4c0797d7987ce55ff8ab305a9a51b27568ae0fb9414498d3c494af2

C:\amogus_icon.ico

MD5 43042269818924374a29891d79cb676b
SHA1 f34ef8a688e15efa9c0117816a617892a2730bb8
SHA256 77aa5f8536b9c30133f8083712b2d5434123d31a6ed41f0680fce52e06144187
SHA512 09cefcf48c1ebd4d5593d6d4f6973ff39330d23cf606da54bf79eeecd355842c675bd530b4e43d19b3dcc3fa6f4539d5d161ca423347197d6b319c17abab0e31