Malware Analysis Report

2025-08-05 11:26

Sample ID 241112-rgyd5avaje
Target e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
SHA256 e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3
Tags
discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3

Threat Level: Shows suspicious behavior

The file e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence upx

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 14:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 14:10

Reported

2024-11-12 14:12

Platform

win7-20241023-en

Max time kernel

119s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 2952 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 1764 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1764 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1764 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1764 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1764 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2252 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 2220 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMLGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s3.amazonaws.com udp
US 52.216.222.144:443 s3.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
DE 18.154.68.212:80 ocsp.r2m01.amazontrust.com tcp

Files

memory/2952-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2952-44-0x0000000001D30000-0x0000000001D31000-memory.dmp

memory/2952-85-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/2952-126-0x0000000001E10000-0x0000000001E11000-memory.dmp

memory/1764-134-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-133-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1764-135-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-131-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-129-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-127-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-136-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1764-137-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RMLGP.bat

MD5 fc1798b7c7938454220fda837a76f354
SHA1 b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA256 7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512 d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

\Users\Admin\AppData\Roaming\config\explorer.exe

MD5 2b5035552ddcc83457cdd87e71dae5ef
SHA1 a1199b5e178b0fc75a808385d985013e616613c1
SHA256 4d4264e6032310a064c662f6691ebe1634c115ff44cb00fa243aa3c7edc4f095
SHA512 3c9345f3e1e9b87af3593806a84563b105c939afbdd2809fc82c2b2b0ab2f8c05a39f6350363c3626bf476dee81c9d8de2c84ba81a3ad3daeaa62488dd37b2f9

memory/2220-302-0x0000000000400000-0x0000000000403000-memory.dmp

memory/1764-308-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2220-323-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab846E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar84A0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27ab89db3a1d33e21fe02192a8997f6b
SHA1 7aab447829451a56b8257930afd0e6b73496af15
SHA256 4160aaba829947a718b5b068d54f6f9e8d2f490d29da7bc17b73021ab1443a98
SHA512 95ac0187d62921fb6bbc648599c0b242dcbe8c6506a5be93c2f8fec50173148f5d4b4304a35216c4e79d82d50c19d34e54c31d23654144a0d38a6da706547cdc

memory/1448-459-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 14:10

Reported

2024-11-12 14:12

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 4232 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe
PID 1616 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1616 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 1616 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 4316 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe
PID 3424 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\config\explorer.exe C:\Users\Admin\AppData\Roaming\config\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe

"C:\Users\Admin\AppData\Local\Temp\e33a18b94257eb8d873858de02619a70c697c2ccfd8b98558d3b48a7a6874dc3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOCDW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

C:\Users\Admin\AppData\Roaming\config\explorer.exe

"C:\Users\Admin\AppData\Roaming\config\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 s3.amazonaws.com udp
US 16.182.106.216:443 s3.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
DE 18.154.68.212:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 216.106.182.16.in-addr.arpa udp
US 8.8.8.8:53 94.226.173.18.in-addr.arpa udp
US 8.8.8.8:53 27.62.154.18.in-addr.arpa udp
US 8.8.8.8:53 212.68.154.18.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4232-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4232-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4232-8-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/4232-7-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/4232-6-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/4232-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4232-12-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/4232-15-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1616-16-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4232-13-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/4232-14-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/4232-10-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/4232-9-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/4232-11-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/4232-2-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1616-19-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1616-21-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GOCDW.txt

MD5 fc1798b7c7938454220fda837a76f354
SHA1 b232912930b2bc24ff18bf7ecd58f872bbe01ea0
SHA256 7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8
SHA512 d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

C:\Users\Admin\AppData\Roaming\config\explorer.exe

MD5 fe0a97a0412644f2073d790daac7036f
SHA1 101b063de06362b898596f497d66d66b9a48c591
SHA256 12f58522cfe2e232464751f7a3626c95f52af0b2f83851c06d66cca38cf3133d
SHA512 9d015c88c21a98c221e57478a5f0a8f7429fd2f24c9e536d8385e84c45a10b34c62d7cca435b348913e1d4f9f25d9d0470e32f13254b657d996ed64672533ffa

memory/4316-47-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4316-49-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4316-48-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3424-59-0x0000000000400000-0x0000000000403000-memory.dmp

memory/3424-56-0x0000000000400000-0x0000000000403000-memory.dmp

memory/1616-63-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3424-62-0x0000000000400000-0x0000000000403000-memory.dmp

memory/3424-61-0x0000000000400000-0x0000000000403000-memory.dmp

memory/4316-64-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1616-67-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3424-69-0x0000000000400000-0x0000000000403000-memory.dmp

memory/1924-68-0x0000000000400000-0x0000000000404000-memory.dmp

memory/1924-73-0x0000000000400000-0x0000000000404000-memory.dmp

C:\ProgramData\cxz.exe

MD5 8d94b726e00da21df5b0a34b91e12c83
SHA1 87c6ef15d8bef6eebb43debca518e7f2a87b53a4
SHA256 fc6f56e4dc22274d977f52edfa89a6ff852c0c69893d1bd0c5ac2e21a1cf3546
SHA512 9b8bf127f25ef6d2c2a1c8aa17a3f7424095333b13004f155cd8d08de98730d3ccff52e6de43d2749002ea7e2ed37a434afa1b4d0d643a6e29092e08743cc93e

memory/1924-95-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3776-97-0x0000000000400000-0x000000000040B000-memory.dmp