Malware Analysis Report

2025-04-03 19:49

Sample ID 241110-gtbqsazrdz
Target 427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN
SHA256 427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661c
Tags
discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661c

Threat Level: Shows suspicious behavior

The file 427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence upx

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:05

Reported

2024-11-10 06:07

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\system\configs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\configs.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 3112 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 2460 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4836 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4836 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2460 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2460 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 3264 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 4264 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFUVT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\configs.exe" /f

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 s3.amazonaws.com udp
US 54.231.130.120:443 s3.amazonaws.com tcp
US 8.8.8.8:53 120.130.231.54.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 18.239.62.218:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 14.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 80.41.65.18.in-addr.arpa udp
US 8.8.8.8:53 218.62.239.18.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3112-2-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/3112-4-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/3112-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

memory/2460-5-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2460-7-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2460-9-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFUVT.txt

MD5 c85bfe60cc1236f9ccf153a142bab133
SHA1 5d73ae02ea3ed5f99dfd2bbba218d6f0b1d2972b
SHA256 958d6eb1237dfb77692e9b712b51ef05d6ac21bddfd8e7d7d9a2dbe71a975179
SHA512 f5f8401b8ed5451497ec32525c299db94072be79af44c4384d006dc5acedceb779b07a0f6e9e8db74d475761190636403cb5ffd90cd5ca4a68ccf967a4a79b88

C:\Users\Admin\AppData\Roaming\system\configs.exe

MD5 8124e5db1aea291c46c1ec81e8026830
SHA1 0637bef2ecf0517a764f25f49b5c813c9cb62636
SHA256 427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661c
SHA512 f6cc699a9c6f294657738423de7d83432800308a5b7cf5ca06d95dd8a641248069f37fa5c48653891563fa595d357ac0ddae74adaa1f0a476480efd5cc89a28f

memory/2460-35-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3264-38-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3264-37-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4264-46-0x0000000000400000-0x0000000000403000-memory.dmp

memory/4264-49-0x0000000000400000-0x0000000000403000-memory.dmp

memory/4264-48-0x0000000000400000-0x0000000000403000-memory.dmp

memory/4264-41-0x0000000000400000-0x0000000000403000-memory.dmp

memory/3264-52-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2460-53-0x0000000000400000-0x000000000040B000-memory.dmp

memory/940-55-0x0000000000400000-0x0000000000404000-memory.dmp

memory/4264-57-0x0000000000400000-0x0000000000403000-memory.dmp

memory/940-60-0x0000000000400000-0x0000000000404000-memory.dmp

C:\ProgramData\cxz.exe

MD5 4f890cf9bbaaebddf8cdb584b869b8f7
SHA1 fee280f5d889b546ca5a75c8f07f14ffd19e4717
SHA256 a5cf50d6dc2765531ac23eaf66937e6672915a5b5ee78c246cbe7e96414dd537
SHA512 3e449d8b5abf3e9336e069c6c1b7cfea221f30ed9381f9c2592d1a5c7594edbbd77c712145fa8b041a3a4ac2baf499bc0171995f061cde257aaaf83a884871a4

memory/940-82-0x0000000000400000-0x0000000000404000-memory.dmp

memory/2184-84-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:05

Reported

2024-11-10 06:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\configs.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\system\configs.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\system\configs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\configs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 2508 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe
PID 940 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\system\configs.exe C:\Users\Admin\AppData\Roaming\system\configs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe

"C:\Users\Admin\AppData\Local\Temp\427ddca7ea00661c50cc8717761c0b95d5d45e732e0ef78076048fa30028661cN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PBDGR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\configs.exe" /f

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

C:\Users\Admin\AppData\Roaming\system\configs.exe

"C:\Users\Admin\AppData\Roaming\system\configs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3.amazonaws.com udp
US 52.216.137.198:443 s3.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 18.239.62.218:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/1868-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1868-99-0x0000000000460000-0x0000000000461000-memory.dmp

memory/2084-438-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2084-443-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PBDGR.bat

MD5 c85bfe60cc1236f9ccf153a142bab133
SHA1 5d73ae02ea3ed5f99dfd2bbba218d6f0b1d2972b
SHA256 958d6eb1237dfb77692e9b712b51ef05d6ac21bddfd8e7d7d9a2dbe71a975179
SHA512 f5f8401b8ed5451497ec32525c299db94072be79af44c4384d006dc5acedceb779b07a0f6e9e8db74d475761190636403cb5ffd90cd5ca4a68ccf967a4a79b88

\Users\Admin\AppData\Roaming\system\configs.exe

MD5 a8acbbcf2ae07829b918d5d6271d64c2
SHA1 38fd62f9ccad6993e11ef86cb1c7bdc3043d07a4
SHA256 99ec28092da9773f811d28fac5a60111f4315dfc499018f2ad50e4908cf87184
SHA512 665366477bf0614f1adc74d2ad95cef2fcfc0962306d9af7a63ce16b71ead5ed61524a021bcf8a488f3d75778e1ecf2ac4f26f582e1f7521bcdb77d78d3b7512

memory/2084-485-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2132-1009-0x0000000000400000-0x000000000040B000-memory.dmp

memory/940-1021-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2084-1026-0x0000000000400000-0x000000000040B000-memory.dmp

memory/940-1039-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD9CD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD9E0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920b1d223bc7a4fee4e0070af2f6e6b5
SHA1 81bdf3eab265c9e10165f61a0ba3107ebc2bda03
SHA256 00fe6801755a7f166cb6f0236824f95ad3e0da8d6bb29aead5e60aa63124f765
SHA512 b7cddfb5fdfb6e29b8267570a61470b65f73357b42af37fb82f1a15a3ec7bccbc7f9e458615ac86c5ead8b6fee7531c6acb2a4c11290a7d8d713f21610dd3b14

memory/2132-1178-0x0000000000400000-0x000000000040B000-memory.dmp