Malware Analysis Report

2024-11-13 18:00

Sample ID 241110-bwb7fawhja
Target 48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN
SHA256 48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bf
Tags
upx discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bf

Threat Level: Shows suspicious behavior

The file 48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery persistence

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win7-20240903-en

Max time kernel

118s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 2100 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 3092 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 3260 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3260 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3260 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3260 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3092 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3092 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3092 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3092 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3336 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BNROC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ilovetehpussay.host4star.com udp
DE 185.53.177.50:80 ilovetehpussay.host4star.com tcp
DE 185.53.177.50:80 ilovetehpussay.host4star.com tcp

Files

memory/2100-0-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2100-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2100-27-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2100-26-0x0000000000409000-0x000000000040A000-memory.dmp

memory/2100-25-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2100-286-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2100-430-0x0000000002AB0000-0x0000000002AEB000-memory.dmp

memory/3092-444-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2100-450-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BNROC.bat

MD5 f6a90c20834f271a907a4e2bc28184c2
SHA1 36c9d1602b74f622346fbb22693597d7889df48d
SHA256 73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA512 39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

MD5 14fa923440f4f8ed41957128c11bc64f
SHA1 2249d4d186fd68542785798c37c34965b651a7ab
SHA256 b457539bf4cfcaa32185f6899cbdfb43478df7ca031536532bd3e0c10ce18994
SHA512 30d8effa49ed51a2262992635d9559da8a16fa10c031ed8831e83b9573ac74aef25be91a71e2d43bf9026132b493ade456b884d8988daf9c6d78a6c376ccebf4

memory/3336-493-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3092-491-0x00000000030D0000-0x000000000310B000-memory.dmp

memory/3092-490-0x00000000030D0000-0x000000000310B000-memory.dmp

memory/3092-489-0x00000000030D0000-0x000000000310B000-memory.dmp

memory/3092-488-0x00000000030C0000-0x00000000030FB000-memory.dmp

memory/3092-487-0x00000000030C0000-0x00000000030FB000-memory.dmp

memory/3092-496-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3092-499-0x00000000030D0000-0x000000000310B000-memory.dmp

memory/3092-498-0x00000000030D0000-0x000000000310B000-memory.dmp

memory/3092-497-0x00000000030C0000-0x00000000030FB000-memory.dmp

memory/3092-1049-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3336-1047-0x0000000000400000-0x000000000043B000-memory.dmp

memory/348-1036-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3336-1035-0x0000000000400000-0x000000000043B000-memory.dmp

memory/348-1054-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4100 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe
PID 4844 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4844 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 4844 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 4844 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
PID 3328 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe

"C:\Users\Admin\AppData\Local\Temp\48f03a18b1dfc823a41d6aae282332a571e7ec5d6743af9ff83ea6529677e5bfN.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ENXVF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 ilovetehpussay.host4star.com udp
DE 185.53.177.50:80 ilovetehpussay.host4star.com tcp
DE 185.53.177.50:80 ilovetehpussay.host4star.com tcp
US 8.8.8.8:53 50.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4100-0-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4100-3-0x0000000002470000-0x0000000002471000-memory.dmp

memory/4100-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/4100-6-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/4100-4-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4844-7-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4844-9-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4844-12-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4100-13-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ENXVF.txt

MD5 f6a90c20834f271a907a4e2bc28184c2
SHA1 36c9d1602b74f622346fbb22693597d7889df48d
SHA256 73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA512 39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

MD5 a4d112f962410f1813630675c40f9d0d
SHA1 18dcfe79bb20f0868c4225ae3241ee01a3c47a64
SHA256 a8a692fe6a40b2fdd81081dfa74efc21083dd17bc6fd1ec566fd13520da3840a
SHA512 92af46a5a1af4a13ee8cd6c91c9d421781ad8c88a164ddfc52e612073e75941bd0a70a6c722d038798ed3d407d884e095003573e8fb421a82bcb01aaa30c7329

memory/3328-37-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4844-40-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3328-42-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3328-44-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3328-43-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1848-50-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1848-52-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1848-53-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1848-57-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3328-58-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4844-59-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/4844-60-0x0000000000400000-0x000000000040B000-memory.dmp

memory/812-61-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1848-63-0x0000000000400000-0x0000000000417000-memory.dmp