Malware Analysis Report

2025-01-22 13:05

Sample ID 240626-d5pv1avgrr
Target 47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f
SHA256 47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f

Threat Level: Shows suspicious behavior

The file 47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 03:35

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 03:35

Reported

2024-06-26 03:37

Platform

win7-20240611-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe

"C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipa.exejm.com udp
CN 112.192.20.89:4000 ipa.exejm.com tcp
CN 112.192.20.89:4001 ipa.exejm.com tcp
CN 112.192.20.89:4002 ipa.exejm.com tcp
CN 112.192.20.89:4003 ipa.exejm.com tcp

Files

memory/2392-30-0x00000000010CB000-0x00000000012F7000-memory.dmp

memory/2392-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2392-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2392-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2392-42-0x0000000000400000-0x00000000016E4000-memory.dmp

memory/2392-40-0x00000000031A0000-0x00000000032DC000-memory.dmp

memory/2392-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2392-27-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2392-24-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2392-22-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2392-19-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2392-17-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2392-14-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2392-12-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2392-9-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2392-7-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2392-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2392-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2392-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2392-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2392-43-0x00000000031A0000-0x00000000032DC000-memory.dmp

memory/3424-644-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2392-1419-0x0000000000400000-0x00000000016E4000-memory.dmp

memory/7436-1420-0x00000000027A0000-0x00000000027A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 03:35

Reported

2024-06-26 03:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\system32\LogonUI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2229298842\1183240423.pri C:\Windows\system32\LogonUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000} C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000029dbf12d7ac7da01 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe

"C:\Users\Admin\AppData\Local\Temp\47351398f9bd24b16ceb200e1ec081360772ba966611d7e77d7bc9cd5a33611f.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ipa.exejm.com udp
US 8.8.8.8:53 ipa.exejm.com udp
US 8.8.8.8:53 ipa.exejm.com udp

Files

memory/4688-0-0x0000000001700000-0x0000000001701000-memory.dmp

memory/4688-1-0x00000000018C0000-0x00000000018C1000-memory.dmp

memory/4688-2-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

memory/4688-7-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/4688-6-0x00000000010CB000-0x00000000012F7000-memory.dmp

memory/4688-5-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/4688-4-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/4688-3-0x00000000035C0000-0x00000000035C1000-memory.dmp

memory/4688-12-0x0000000000400000-0x00000000016E4000-memory.dmp

memory/4688-13-0x0000000003600000-0x000000000373C000-memory.dmp

memory/4688-15-0x0000000003600000-0x000000000373C000-memory.dmp

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1337824034-2731376981-3755436523-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

MD5 11f6824626e84cb040b0dccf6e0dcb21
SHA1 d416d511117d009a0dfa01e05b153413fb7f9784
SHA256 83516e53e57aa82913a4ca861d051a74e26817cf6efe191c3e63542c8cdc9956
SHA512 dbbf94fafe3179b2f59eb3d1653f35ad1fc62975ca18cfa680f78d1488eedb90119e7dc936339c7cf4d1a947b56aa52ba4d4fd5cb6be9b9a4dff3e755d8da2f1