Analysis Overview
SHA256
f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67
Threat Level: Known bad
The file Batch_11.zip was found to be: Known bad.
Malicious Activity Summary
Cryptolocker family
Modifies WinLogon for persistence
CryptoLocker
Xorist family
Detected Xorist Ransomware
Deletes shadow copies
Disables Task Manager via registry modification
Event Triggered Execution: Image File Execution Options Injection
Drops startup file
Loads dropped DLL
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Impair Defenses: Safe Mode Boot
Adds Run key to start application
Enumerates connected drives
Blocklisted process makes network request
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
System policy modification
Modifies registry class
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies Control Panel
Kills process with taskkill
Interacts with shadow copies
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-22 03:41
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xorist family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
297s
Max time network
168s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe
"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.torproject.org | udp |
| US | 204.8.99.146:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | dist.torproject.org | udp |
| US | 204.8.99.144:443 | dist.torproject.org | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 184.50.114.155:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 104.72.73.219:80 | www.microsoft.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
290s
Max time network
131s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe"
Network
Files
memory/2496-0-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2496-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2496-2-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2496-4-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20241023-en
Max time kernel
291s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbt0.exe" | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbt0.exe" | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2396 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2396 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2396 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2396 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\wpbt0.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wpbt0.exe
"C:\Users\Admin\AppData\Local\Temp\wpbt0.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
Network
Files
memory/2396-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2396-1-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
291s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\My program = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SonPw.exe.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows boot = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SonPw.exe.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C17F6321-A883-11EF-ABA3-46BBF83CD43C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000006b7a5a22eb15a037c4bc5e217a1f17759d8d447c09d99b94d6715d7e4029c5f0000000000e8000000002000020000000b214df1e5651230dd2b2b10abcf35d780f52ee4ca67cfe685cd042a5e5aa23b620000000ae5ceed52329495130583d4bed93d840faf9f584f03d22030df2aebbb74bb2a6400000002cd1cd3f423950fcb4749a0c689391faf9005959aa1e28aa6329fb99ccacd3c11ca7bc43582f9ebde35fd23632f7a5319cdfc156bc049590e4a9f3f3b7c080c7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20749f9a903cdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000219f4174a7c5e98310fe3a7992f7422a3b787cb33218475f584f02dc32442a8c000000000e8000000002000020000000a7fecc3b510aad24b11a2cc6ec81ebf4ffa42bcb6655fc12e10ef8e0660cf1a790000000e5302751a8a552dae757338d20bc900ee920f4dec7ef6b91239506028544596490ae31cb5227f93db8bf4162ae430a556dbd642caedf6b7372a5eeb79785eb1cf9021e9fba119a4d7265b8d8d29d19eb84a14ba212fdb084e7beb2af2bdf81a83a1d970a3d86c46d5e9585f876255072eca57dc202dfa021e9251f308f767bdb4a845903e7e53ba900e9787cbd0f773b40000000ffb6755116a2a64d2eb4ec7108adf9fa8903785776f0056c96dd571b81c1a33532db70ee2229c8e4c96c0c3e424f707809999d302c501e9abc9186f98ffe89bb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408798" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pornozud.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pornozud.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2128-0-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp
memory/2128-2-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
memory/2128-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
| MD5 | 0281bba49b8475542e9021eb64fbbbb3 |
| SHA1 | c5a1bce7918e88edcba692c6c54ff9bbd80ce2ed |
| SHA256 | 9a879fa5427056f857e48b62637b8653d46e29ffad34a5c5c15bf6bfa86bdc6a |
| SHA512 | fb28dcd9f0b8d0a3b188510088e68351d09004bfcdd382853ac1052227461ba1ed95350e10db28605d6a8be57a484f7d30737d8f7b97b1c81885d60554c51cd6 |
memory/3020-9-0x0000000000230000-0x0000000000232000-memory.dmp
memory/3020-8-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3020-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2128-11-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
memory/3020-14-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/3020-15-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3020-20-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3020-22-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/3020-21-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6E7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar766.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e17109b7122c69e2934eac349bc51ff5 |
| SHA1 | 357d6c51c315aeebeae21523bdf38ca01befe06a |
| SHA256 | 62e5de4c92a24dd86c5d38ce92ad6bfe086e28655e0ed9bcaab85ca8bd5070d1 |
| SHA512 | 0cf2ea2ac0ddf3c512e6dad48d2f3aeb4d41e45bde88ff015c00f971c889f8db955aee4c2131e63ccfe070e234d9212aeb8131ce57149dc1e09438d0faa21c22 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85a53d326013836810473cdc953a7d3d |
| SHA1 | 0389b0c8faf1f6ebbf8192a54771504979f121f1 |
| SHA256 | 58c3a5480e3c7bcfa6aadb0136dac3716d77b047bbad289085b328c73835e35f |
| SHA512 | 297630aab8b120ccd959f2d170c2ec4df628a5164ddcde54dbc3d467582c46bc9cf22fd144c88b0d70d5748b533d49aed7ab45a9f293ffba133365f5f70dc908 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e97731cdb7cba212f570f3b924d6eee |
| SHA1 | 66843a0b945bd935b8c663caa3464e190910e189 |
| SHA256 | e26e1237f20f22ef2f8f90bc80977ef5b560b96af431e0c55063be8b3114d036 |
| SHA512 | 6f7baa3fd44f3934de4efe2103c2d461aad259b5889a74bb0f3abff451d46e22455e030621293508d1c6defe69e500ee6f436589e72f7d5a990944fb21dfb5be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9099dbf2a8b34fe07f9076ca5bd5a5ec |
| SHA1 | a2dfdc82283b66c3274ce160836b6a845d79fc59 |
| SHA256 | 9fb261a3c9f8ee7581b6c2cb34025dab1def6510c7b0a49ac49894ba1d5102ec |
| SHA512 | 93f62c4b2f399ad73742440e6b643c7d5f71bb0ba68641515566f6577ba2c378f3e33b0e60041ad5097f31e7ad182a3a2d431e4e4fd92575184303c102381cc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34662da50b6d37f49e2a41c442716ad0 |
| SHA1 | bed970f9eac4497ce586875e3128c673fadf4761 |
| SHA256 | ff9f5a32d3d849948f7239fe21965c1177f3f716dcad3fafd975604e54012d04 |
| SHA512 | 174ff780f8dd2d9ea40af9408cfa21e80f96d6ae168aed792dae60f2eaa7b04754a514131fb0ce251175cf1b547324f4bb144a509dc154719fa9864ef2b0aa7b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a56df85294ba6506360ddaf172dd425c |
| SHA1 | be83327ddc5f21516b43bfcaa9a47c2d12c2ac54 |
| SHA256 | 966e76a83a54b0806369ea352197198b1e99c059ab189a263ce916de802cabb8 |
| SHA512 | b4067c8ce47410e6d37474dfd2549725eda62b9ebf3f7345d71d63daf46b16c1ccb7c5fb5cf3a84768d11d692d5498e6ca42f1b06c3c4d0c7c9bd9d6629d274f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a8674df2c7682fa4ad68ff748f2b9bf |
| SHA1 | 55bf445953809569e64c267fab9647ef9cd66827 |
| SHA256 | 8908d7b0478f06de83c26bb02f7cff7149ec0065384698390e492b760ede7c0f |
| SHA512 | fc7415c6d62a3b75b2802ac1f29dfc67e085bda538349d4520df87e7c88c6a424bce747792b8bbac73e00c79a1834cd94f73e12a03371d3420db027cced06ccb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 787fdfd8f610b47c073d396d3eae77f8 |
| SHA1 | 85de174c29f3e7c0eccc9dcb77df1c33167cb2dd |
| SHA256 | 01d507a4fbd8c746e4034c09d54d6f8eab7a5ca0e2e039bd24abfa831c8d4505 |
| SHA512 | 6c2a850e397e739d42abac79c9b28c459009a604fb113fd4b2055c6f6a470f67c304a01862503731e43c9f7d4fe74ae68adfccc3e2c64aad6f6925f0ef1a841e |
memory/3020-451-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3020-452-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c1be225227178c8a9b59a5e7a28ee9c |
| SHA1 | 39bba66551770e621bc748d95a86ebc3a43d31cb |
| SHA256 | 7005735e26dee11a98808f5f87c0e5ac477137ea63b5ba556c7f5ac366ff2794 |
| SHA512 | d4c82c484b1f0a3a4637a37d6c42666f3d886910c188a6ef2851c9d2f5c7019d742a75e39f0675b51552e9b1e4506aac66077b4e1afb743bc7fc0adc33db74ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d5e69eca229fae2cc44056f7229d456 |
| SHA1 | 1b2faf5d45197cfff96813ebca33409c20f6e396 |
| SHA256 | 8986b32bf58efb32d4f54e002fa952e3d5611b55bba41fabe91bc4c22b1ed00b |
| SHA512 | 065251979773b763865887c8463137a35140a911dd0a212b37f1d4e314b25c64e728c3ad14e70ac16384fb99ceb40be819f6d2ad0fc62c6999c9bcd6e4645bb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c6dd648a159c60f2350f7052b2938aa |
| SHA1 | 3dc76e616e2e838ac8ff16ba8df2a3e063b114c0 |
| SHA256 | ef9968e025f323582a886fe392b2573508e42ef520de1ceac6926ed0d039079f |
| SHA512 | dca001af6a3237cc96232a3040d940ee1f6d8183ebb36b3d0d38463a38d5854069ec7a55da2820c53f644e540bee931a4b10522b8798acb9d45d0f6ddb3a06d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89faa91deac287b4d74d09a050069d26 |
| SHA1 | 94390f97985366a611974a553c5d583804dea6fd |
| SHA256 | d7eb9d4dfbe60cbb099ef6314fb02356e0d288e4bb826549e57cc49e9ebb5079 |
| SHA512 | e2f4070b3210a7d3bf9feb919e4760dbacc13a61df9d2111a754d5edffa22eb10c4ec3ec89e138367fe1d3584b610197b7be1ee2a077732ba586c42559f72c1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20a0a2c62a52e89146d561261225f5e5 |
| SHA1 | 3f303f5129327b32d560dd8aba7da2e3e844d5ce |
| SHA256 | f065823733b11ba6b6b0d042277c56eb34168ca5d7a298236487dbb91fc052d6 |
| SHA512 | 8c6a52008f7e092936938a954852c5aae631f21783c3867fe7805fa3e7cd8affbc2c660a82ee68823b79d27ef994f591ca7149faf11f2ce10adc25408dcb6f6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 523f5e68a83770561d7c42b1ea0f043a |
| SHA1 | 077b7dbc597449d76951a0e8a7fbf704494b2434 |
| SHA256 | d3edfda4e62db47234d888a9b9b9cbae2c9bdb7e38b6ecdda350b9bb68766848 |
| SHA512 | 1c7d64725c7eed9b6642be477eb5aceb839346b63405793a3625cf495dff6e313287414a56ecc4e70056a0fa03ecf43c9a2aeb1f12cdb3c7b809ab819c98093b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b97632f17dd56cc900bda2bf12f0d60 |
| SHA1 | ac3e9f3f9c2d51a1ed4a773c4d633d0234d0e44b |
| SHA256 | 41a682d3aa0f142900f46603fa7bcb5d5e6f9550a49ebd66757b0fae9351d6ca |
| SHA512 | f47ce771e3be7a405af4f8dbbd7b3c960a235b6630bbc15478b85f9a0640ea24e1731a99b7b2701320b90864ad6baafa76862fe36f762214d2b92861a943adc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b84f311b67c343093991aface6b46f92 |
| SHA1 | 969f3afaa8a91fc903687a2cd00d2b5ba35c68c7 |
| SHA256 | 472fcc5ad8548e49237d7437f3f706d2e4d0d8055c9ed7887c3002515b69f28a |
| SHA512 | f3f3d5c463e7580abaa333d6988249699c15c65351e3b2f24ecc79a6ba870d91a8a73834c53f529de51e8953ed60826f79e6becfc15cea5b36273089fd37e25a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f16ede81f91225a09368ea355f54745 |
| SHA1 | 40e7c6532c232c9b031387752b41155ca0d50cf9 |
| SHA256 | 6bb53893a7bb1c3edfe1da14e416fb3f971c86d47fe9dfa92a92ce64f1b8180b |
| SHA512 | ad724ba5aed703989efee87b317a73c55f0f94b1d3f423bb8fc38de275a9dea18d40c19df9c4873510473ffe58f76e4f24eb90ea7ef1e8e7fa63a43ebeaea9f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34da3421c518d6623e747886984af2c0 |
| SHA1 | a2da535a257c34ed20fcc5db5f1cf4b16d2506be |
| SHA256 | 7ef05d3032100e06709ced85d56e845e4c783add156e520f6444c0b6b1c18111 |
| SHA512 | 151ac521931d090c8e090b989f1c528f7f82ff23edc76b15107b224a7ce9f9feb92cb91b3d28fef553364d8caea2f480c434106928cb8c67084de7c7b40579ef |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
290s
Max time network
126s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_87279.avi.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\win.ini | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89164902338" | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe"
Network
Files
C:\Windows\win.ini
| MD5 | c9546ac0af035fd095164c1e36171f54 |
| SHA1 | c715ed1a3c583fe7deb5cf2f697e62b9376bd5dd |
| SHA256 | 066d191cf79e0ed307e8c3e4de878a40b824053231f0758639ccc71093e61d71 |
| SHA512 | af85d528dcbea912708164750ea846e7e59781383bbb9ff83d8ba1e788c81fdfb8bdeeb7d690dd14b76bb840445058e155d9ad6f6ec4d9ab4c2ef5a3545ea4cd |
memory/2420-103-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2420-102-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2420-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2420-104-0x0000000000400000-0x0000000000428000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20241010-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe
"C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 268
Network
Files
memory/2556-0-0x0000000000810000-0x0000000000849000-memory.dmp
memory/2556-1-0x00000000001A0000-0x00000000001B9000-memory.dmp
memory/2556-2-0x0000000000280000-0x0000000000295000-memory.dmp
memory/2556-8-0x0000000000280000-0x0000000000295000-memory.dmp
memory/2564-13-0x00000000005F0000-0x0000000000604000-memory.dmp
memory/2564-14-0x00000000005F0000-0x0000000000604000-memory.dmp
memory/2556-12-0x0000000000810000-0x0000000000849000-memory.dmp
memory/2564-16-0x00000000005F0000-0x0000000000604000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe
"C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20241010-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\xxx_video.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video.exe"
C:\Users\Admin\AppData\Local\Temp\xxx_video.exe
C:\Users\Admin\AppData\Local\Temp\xxx_video.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 332
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 106.209.245.63.in-addr.arpa | udp |
Files
memory/804-1-0x0000000000230000-0x0000000000276000-memory.dmp
memory/804-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/804-2-0x0000000000400000-0x0000000000446000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240729-en
Max time kernel
290s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe"
Network
Files
memory/2684-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2684-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-4-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-5-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-6-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-7-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-8-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-11-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-12-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-13-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-14-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-15-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-18-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-19-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-22-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-23-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-24-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-25-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-26-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-27-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-28-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-29-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-30-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-31-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-32-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-33-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
193s
Max time network
158s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zcrypt.lnk | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zcrypt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\zcrypt.exe\" " | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | C:\Users\Admin\AppData\Roaming\zcrypt.exe |
| PID 2360 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | C:\Users\Admin\AppData\Roaming\zcrypt.exe |
| PID 2360 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | C:\Users\Admin\AppData\Roaming\zcrypt.exe |
| PID 2360 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zcrypt.exe | C:\Users\Admin\AppData\Roaming\zcrypt.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\zcrypt.exe
"C:\Users\Admin\AppData\Local\Temp\zcrypt.exe"
C:\Users\Admin\AppData\Roaming\zcrypt.exe
C:\Users\Admin\AppData\Roaming\zcrypt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poiuytrewq.ml | udp |
Files
C:\Users\Admin\AppData\Roaming\zcrypt.exe
| MD5 | d1e75b274211a78d9c5d38c8ff2e1778 |
| SHA1 | d14954a7b9e0c778909fe8dcad99ad4120365b2e |
| SHA256 | bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f |
| SHA512 | 1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240729-en
Max time kernel
239s
Max time network
245s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe" | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Video CodeC X\Video CodeC X\bsoderror.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI800C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f777ec4.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8241.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8252.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f777ec1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F8D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7FFB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI804B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI807B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI840B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f777ec6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f777ec4.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f777ec1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8231.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\you to.job | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8489.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F1F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8291.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8300.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductName = "Video CodeC X" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\PackageCode = "6363F740F6E08EF4E84656D164D38A57" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Version = "33554432" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\PackageName = "Video CodeC X.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA\MainFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2\FCED1D0ECE001664C8855C70F9C1FBFA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductIcon = "C:\\Windows\\Installer\\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\\_itunes.exe" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe
"C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A371761743DBC15E96271C54860029AD
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B6D96334DC12DB8986BA5F9FD9ADA77D M Global\MSI0000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 3.214.180.211:80 | collect.installeranalytics.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi
| MD5 | 5a62fc6cb914c167550b337e86e8a933 |
| SHA1 | 7a6bf8f179aed33057a694966b45a7928f1698b7 |
| SHA256 | f32c666abd8d50bce93391840de7c8d9969b75d42aea3bee61d68be411e3ffe3 |
| SHA512 | 6a64db837e86eed6b2227b6e3df35a1f9f761cac890ea1475a1c42ec4c511bd3a622737ccfd133a5682c0ca226d046dfb60140c7001be40c574e41f10df396b9 |
C:\Windows\Installer\MSI7F1F.tmp
| MD5 | d552dd4108b5665d306b4a8bd6083dde |
| SHA1 | dae55ccba7adb6690b27fa9623eeeed7a57f8da1 |
| SHA256 | a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5 |
| SHA512 | e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session
| MD5 | 4f73357193d931dbf175b646b6b5c575 |
| SHA1 | b6894eac93880c243183f7889c345919c96e23ca |
| SHA256 | 848749dcaceab691b4b780defe10585fa64290c808f70e8fc9064fc9f8c60768 |
| SHA512 | cbc7c62c72c38ff06a930e888ead651d763b84ad66bf56e3f79ee65d74a30bc80ff9f5de3c3f96ab0295302bb2e9010594ac1645ca44c3d6694481235f316499 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session
| MD5 | 45bd98cae8012556fb923b213ca5b6ab |
| SHA1 | e5b312a296e5d2d8e0bdc83c6b50c35f33c5241d |
| SHA256 | 7c5b06ac1c9fa199e28e89368dbad06cee810829c70bd99cae47cdf567a9009d |
| SHA512 | 3037cefc932b4c43cec201a4c6fe352f694d050431b369f8631b60882d37432cc8280f9545e3989b46e356d15057473abbeff4ef776eecb9bd25ccbcb834380d |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session
| MD5 | 7f02fb2ec3410cadf13d8d7ccce01433 |
| SHA1 | d74ddea7609fc992a2ebed415cb7fc590451dd58 |
| SHA256 | 3d1c3f2062ecfeff0311ebcf423a314ead96ad6a8c4043f066c430051b0b07f2 |
| SHA512 | 72e1e64c5cd16b143c03b571153346c5981cdb16189a299b45ebb8a17e631ef9639ab84b99e7f8a181f9a2e7acb62f362d96a6dee851de332fae93200a934f29 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session
| MD5 | 3fef2d800f6c98295e8902e2616aaa7b |
| SHA1 | 055b8cb676b8c86548d53b0db3cbfe6561c192c6 |
| SHA256 | 95006281c914e9cac887adf4114705b78d5070dc67ae2f3597527d519485f783 |
| SHA512 | e30c93d2405a2cf237648c56bfd251c3a8e114fa0de8e90b30480c7eb6ff376c63b49c21c1f7b1062962a515288653bc82364ed14241817498052467aa1cd7a7 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session
| MD5 | c84d162b3f035c6864b02b9b0da3085c |
| SHA1 | 0cc6540955d144bcac1827e070af2b408680ffff |
| SHA256 | a52a02af44a1eb9260e84f6048c45beb1cd42a372a62ea3fac2fd3493cc58245 |
| SHA512 | 693a98f4022d6f831ad4dfd56c484e1c0abdea8bb869d9d258c9bbb8daa8dacac1a87cb43187a05795ec56b2b8afe1ff09dfef0301b0c3cf63e172a8fcb5d8b9 |
C:\Windows\Installer\MSI7FFB.tmp
| MD5 | 4083cb0f45a747d8e8ab0d3e060616f2 |
| SHA1 | dcec8efa7a15fa432af2ea0445c4b346fef2a4d6 |
| SHA256 | 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a |
| SHA512 | 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini
| MD5 | 89535309d6c3041f621b2061507b21fa |
| SHA1 | 2a4a7d7a58a077bb789fecb313de22211952edbe |
| SHA256 | 64800ab14a58d7062d669dac34018a2e5e5cdd250fade664ccd2d78be5733d1c |
| SHA512 | a50ee82cac21715b7d7e77154a2fe0598690a35ccb76b190413ca886481be92dd012a4e34a6cdc6d60ba70be9028995719596c2c3750e12a5e96bba4be1ae5bf |
C:\Windows\Installer\MSI8241.tmp
| MD5 | 3cab78d0dc84883be2335788d387601e |
| SHA1 | 14745df9595f190008c7e5c190660361f998d824 |
| SHA256 | 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd |
| SHA512 | df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820 |
C:\Windows\Installer\MSI8252.tmp
| MD5 | 7e6b88f7bb59ec4573711255f60656b5 |
| SHA1 | 5e7a159825a2d2cb263a161e247e9db93454d4f6 |
| SHA256 | 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f |
| SHA512 | 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c |
C:\Windows\Installer\MSI8291.tmp
| MD5 | aa82345a8f360804ea1d8d935f0377aa |
| SHA1 | c09cf3b1666d9192fa524c801bb2e3542c0840e2 |
| SHA256 | 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437 |
| SHA512 | c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db |
C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\bsoderror.exe
| MD5 | ea3ad4540a9411f051d52788dde2cb53 |
| SHA1 | 641e87b35a4d31d41a1bb842190e6cd830ddea63 |
| SHA256 | 3b5d9aadfdb9c1257ef84e33cdad67cd818334ec8fd40e0968b8b71e2a0eef95 |
| SHA512 | 2f39c3caaf28b2ca592f6268ae0750fa36ecf9eeceaf3a1846162914129a794c0c0224cc7e6c6e55cc2f0b65a18d3e2c1c9bc86252799635e22f4c50ce196c33 |
C:\Config.Msi\f777ec5.rbs
| MD5 | 0e49666f6aec36e92453cb4e41f749f5 |
| SHA1 | b54cd4ebccacf282facfecbe3616df59876408b7 |
| SHA256 | 4a96551895ea83c53f561774818a33f4044514a2923954bf54ee8b1ec006cec3 |
| SHA512 | 8c20f2dfd52613b12b3cab05088bd02414b3f8fc9ef4692535440809972d5792f1ece5cfd1dfe46aba6f430586fc6ceff18ae22f961fe9dcc7d81af6363ed5e0 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini
| MD5 | 662bd174aba9542274222f4768bac369 |
| SHA1 | 8ed7282c153b614bad1a2ca52c53cc31d8463d7d |
| SHA256 | 08ddd333275f10ed3d23c2be72d4bcbdd7a30638e181b1afecb85414fdef6d8c |
| SHA512 | 56243ebfa3444b656dbd822c89b9f8157c99ca9493a52691676d7f1122b2c49b59af5ac51f319dfe000f950d0602774a4382526fc075c6a34f7f8fadf4b0f06c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
290s
Max time network
124s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe"
Network
Files
memory/2644-0-0x0000000000400000-0x000000000050F000-memory.dmp
memory/2644-1-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2644-2-0x0000000000400000-0x000000000050F000-memory.dmp
memory/2644-4-0x0000000000240000-0x0000000000241000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
271s
Max time network
123s
Command Line
Signatures
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c12c0c1.exe | C:\Windows\syswow64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c = "C:\\c12c0c1\\c12c0c1.exe" | C:\Windows\syswow64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c = "C:\\c12c0c1\\c12c0c1.exe" | C:\Windows\syswow64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" | C:\Windows\syswow64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" | C:\Windows\syswow64\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe
"C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"
C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
C:\Windows\syswow64\svchost.exe
-k netsvcs
C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | machetesraka.com | udp |
| US | 8.8.8.8:53 | markizasamvel.com | udp |
| US | 8.8.8.8:53 | armianazerbaijan.com | udp |
Files
memory/2848-1-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2848-0-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2576-5-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2848-6-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2848-7-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2576-8-0x0000000000080000-0x00000000000A0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vmem02.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vmem02.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\vmem02.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2180 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\vmem02.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2180 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\vmem02.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2180 wrote to memory of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\vmem02.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\vmem02.exe
"C:\Users\Admin\AppData\Local\Temp\vmem02.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88
Network
Files
memory/2180-0-0x00000000011F0000-0x0000000001203DD1-memory.dmp
memory/2180-1-0x00000000011F0000-0x0000000001203DD1-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
290s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_26726.avi.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89104011106" | C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe"
Network
Files
memory/2936-0-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2936-2-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2936-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2936-3-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240708-en
Max time kernel
290s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi_unpacked_.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi_unpacked_.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe"
Network
Files
memory/2492-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-1-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-2-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-3-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-5-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-6-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-10-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-11-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-15-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-19-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-20-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-23-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-24-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-25-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-26-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-27-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-28-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2492-29-0x0000000000400000-0x000000000042E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20241010-en
Max time kernel
295s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_77498.avi.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe | N/A |
Disables Task Manager via registry modification
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe"
Network
Files
memory/2224-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2224-1-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2224-8-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
297s
Max time network
169s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe
"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.torproject.org | udp |
| DE | 116.202.120.165:443 | www.torproject.org | tcp |
| US | 8.8.8.8:53 | dist.torproject.org | udp |
| DE | 116.202.120.166:443 | dist.torproject.org | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 184.50.114.155:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 104.72.73.219:80 | www.microsoft.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:42
Platform
win7-20240708-en
Max time kernel
7s
Max time network
9s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\2509819211\2509819211.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\2509819211 = "C:\\Users\\Admin\\2509819211\\2509819211.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2509819211_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xpiofrbtkzhr.exe\"" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\2509819211\2509819211.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveActive = "0" | C:\Users\Admin\2509819211\2509819211.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\2509819211\2509819211.exe | N/A |
| N/A | N/A | C:\Users\Admin\2509819211\2509819211.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe
"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2509819211 /t REG_SZ /d "C:\Users\Admin\2509819211\2509819211.exe" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2509819211 /t REG_SZ /d "C:\Users\Admin\2509819211\2509819211.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2509819211_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe\"" /f
C:\Users\Admin\2509819211\2509819211.exe
"C:\Users\Admin\2509819211\2509819211.exe" f
C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2509819211_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe\"" /f
C:\Windows\SysWOW64\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /f /t 4
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/3060-1-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3060-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2748-18-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-17-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-16-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-15-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-14-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-13-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-12-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-11-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/2748-106-0x0000000000170000-0x0000000000171000-memory.dmp
C:\Users\Admin\2509819211\2509819211.exe
| MD5 | 8ce930987752f9790864543b6da34317 |
| SHA1 | 7d89ae64e1dae59e8e85749b875aa712a4fc5e36 |
| SHA256 | 5bce08b97565564ccdebec5b9c45ac680e0b3f01ddde2461f1dff4a9bbe50836 |
| SHA512 | 456c1eb90d51145a785ee47c15d49b0bc9ce9a14f636bbac69e4df19fb2ab8b6e4f785657797042561e0d12e237fc223537220493d9a4ef3f1b29cda373fb65d |
memory/2748-55-0x0000000000150000-0x0000000000151000-memory.dmp
memory/3060-376-0x0000000000400000-0x000000000041D000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
290s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_73240.avi____.exe.vir.exe" | C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89162981497" | C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe
"C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe"
Network
Files
memory/2100-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2100-1-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-22 03:41
Reported
2024-11-22 03:47
Platform
win7-20240903-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
CryptoLocker
Cryptolocker family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
"C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8
Network
| Country | Destination | Domain | Proto |
| US | 184.164.136.134:80 | tcp | |
| US | 8.8.8.8:53 | dvciafgmxqbqdgc.info | udp |
| US | 8.8.8.8:53 | rnfartqpncqtvlb.com | udp |
| US | 8.8.8.8:53 | faapeobkwfoevni.net | udp |
| US | 8.8.8.8:53 | nhlngdgdlsllmeg.biz | udp |
| US | 8.8.8.8:53 | btgdsxqxuvjvvmj.ru | udp |
| US | 8.8.8.8:53 | pljukmbbkhyyvau.org | udp |
| US | 8.8.8.8:53 | dxekwhlvtkwjvug.co.uk | udp |
| US | 8.8.8.8:53 | tfpbyapphqdqqdp.info | udp |
| US | 8.8.8.8:53 | udkvwucsqfcwriw.com | udp |
| US | 8.8.8.8:53 | vjnidjkngfqesmv.net | udp |
| US | 8.8.8.8:53 | whidbewqptpkkbu.biz | udp |
| US | 8.8.8.8:53 | rdtvrsabevlvukl.ru | udp |
| US | 8.8.8.8:53 | sboqpnmenkkcviw.org | udp |
| US | 8.8.8.8:53 | thrdvcuydkyjeui.co.uk | udp |
| US | 8.8.8.8:53 | ufmxtwhcmyxpvcl.info | udp |
| US | 8.8.8.8:53 | acjxmtancumeux.com | udp |
| US | 8.8.8.8:53 | nmklgltavpetuk.net | udp |
| US | 8.8.8.8:53 | bhttyjnoioddua.biz | udp |
| US | 8.8.8.8:53 | oruhsbhbcjusea.ru | udp |
| US | 8.8.8.8:53 | vloenyykefejgc.org | udp |
| US | 8.8.8.8:53 | jvprhqswxavygv.co.uk | udp |
| US | 8.8.8.8:53 | wqyaaomlkyuiyw.info | udp |
| US | 8.8.8.8:53 | kbantggxetmxie.com | udp |
| US | 8.8.8.8:53 | ilrkkiqwmdgtds.net | udp |
| US | 8.8.8.8:53 | jhsloamrgernur.biz | udp |
| US | 8.8.8.8:53 | jqcgwxexswwsdg.ru | udp |
| US | 8.8.8.8:53 | kmdhbpasmximev.org | udp |
| US | 8.8.8.8:53 | euwqlnptonxydd.co.uk | udp |
| US | 8.8.8.8:53 | fqxrpfloiojsuj.info | udp |
| US | 8.8.8.8:53 | fahmxdduuhoxvj.com | udp |
| US | 8.8.8.8:53 | gvincuypoiarwg.net | udp |
| US | 8.8.8.8:53 | oxckpobxhccycg.biz | udp |
| US | 8.8.8.8:53 | cidxjjlhxdxsld.ru | udp |
| US | 8.8.8.8:53 | qgmjheofpinllh.org | udp |
| US | 8.8.8.8:53 | eqnwbyyogjjfln.co.uk | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | xriekokeanpxwl.com | udp |
| US | 8.8.8.8:53 | mprpijncrsfqph.net | udp |
| US | 8.8.8.8:53 | aasdcexlitbkpu.biz | udp |
| US | 8.8.8.8:53 | whkwndrvrkasno.ru | udp |
| US | 8.8.8.8:53 | xdlxrxekirhiox.org | udp |
| US | 8.8.8.8:53 | ypuvfsfdaqlfwb.co.uk | udp |
| US | 8.8.8.8:53 | alvwjnrrqxsuow.info | udp |
| US | 8.8.8.8:53 | sqpdoiqsturxnv.com | udp |
| US | 8.8.8.8:53 | tmqesddhkcynom.net | udp |
| US | 8.8.8.8:53 | uyacgxeacbdkph.biz | udp |
| US | 8.8.8.8:53 | vubdksqosikahk.ru | udp |
| US | 8.8.8.8:53 | uakegwpessydxp.org | udp |
| US | 8.8.8.8:53 | iklraojqmnqsxc.co.uk | udp |
| US | 8.8.8.8:53 | vfuasgksreslqw.info | udp |
| US | 8.8.8.8:53 | jpvnmxeflykbaw.com | udp |
| US | 8.8.8.8:53 | sppiwcmcqewbcv.net | udp |
| US | 8.8.8.8:53 | gaqvqtgokyoqcp.biz | udp |
| US | 8.8.8.8:53 | tuaejlhqppqjce.ru | udp |
| US | 8.8.8.8:53 | hfbrddbdjkiyll.org | udp |
| US | 8.8.8.8:53 | djsqelgndbssgq.co.uk | udp |
| US | 8.8.8.8:53 | eftridciwcemxp.info | udp |
| US | 8.8.8.8:53 | eodmqubccmmbyj.com | udp |
| US | 8.8.8.8:53 | fkenumwwvnxuay.net | udp |
| US | 8.8.8.8:53 | byxuuqdlbmqqyq.biz | udp |
| US | 8.8.8.8:53 | cuyvyiygunckqw.ru | udp |
| US | 8.8.8.8:53 | ceiqhaxaaxkyyk.org | udp |
| US | 8.8.8.8:53 | dajrlrtutyvsah.co.uk | udp |
| US | 8.8.8.8:53 | jvdqjrqlxcrfpl.info | udp |
| US | 8.8.8.8:53 | wgeedmbuodnyyi.com | udp |
| US | 8.8.8.8:53 | lenpbblmyvairr.net | udp |
| US | 8.8.8.8:53 | yooduvvvpwvcrx.biz | udp |
| US | 8.8.8.8:53 | hliuawnjvnpdto.ru | udp |
| US | 8.8.8.8:53 | uvjitrxsmolwds.org | udp |
| US | 8.8.8.8:53 | jtstrgikwhxgdc.co.uk | udp |
| US | 8.8.8.8:53 | wethlbstnitadp.info | udp |
| US | 8.8.8.8:53 | rfldhghjikpyba.com | udp |
| US | 8.8.8.8:53 | sbmelbtxyrwocj.net | udp |
| US | 8.8.8.8:53 | tnvcypckjexcdr.biz | udp |
| US | 8.8.8.8:53 | ujwddkoyalfrun.ru | udp |
| US | 8.8.8.8:53 | puqhxlehgvnwtw.org | udp |
| US | 8.8.8.8:53 | qqricgqvwdumun.co.uk | udp |
| US | 8.8.8.8:53 | rdbgpuyihpvadv.info | udp |
| US | 8.8.8.8:53 | sychtplwxwdpuy.com | udp |
| US | 8.8.8.8:53 | kswpoaouaodjlq.net | udp |
| US | 8.8.8.8:53 | xfrhurihesvulk.biz | udp |
| US | 8.8.8.8:53 | lxhlbpcvgitils.ru | udp |
| US | 8.8.8.8:53 | ykcdhhvikmmtua.org | udp |
| US | 8.8.8.8:53 | gccvpswsqvnplc.co.uk | udp |
| US | 8.8.8.8:53 | townvkqfuagblo.info | udp |
| US | 8.8.8.8:53 | hhmrciktwpeoew.com | udp |
| US | 8.8.8.8:53 | uthjiaegbtwanw.net | udp |
| US | 8.8.8.8:53 | oofxaojfcpeniy.biz | udp |
| US | 8.8.8.8:53 | pmaurgfagovhaf.ru | udp |
| US | 8.8.8.8:53 | ptptmewgijumim.org | udp |
| US | 8.8.8.8:53 | qrkqevsbmimgjj.co.uk | udp |
| US | 8.8.8.8:53 | kxkebhrdswottq.info | udp |
| US | 8.8.8.8:53 | lvfbsynxwvgnlp.com | udp |
| US | 8.8.8.8:53 | lduanwfeyqfsmw.net | udp |
| US | 8.8.8.8:53 | mbpwfobydpwmnm.biz | udp |
| US | 8.8.8.8:53 | yopcrupfyoycsm.ru | udp |
| US | 8.8.8.8:53 | mbktxpaomnjvcq.org | udp |
| US | 8.8.8.8:53 | bwabjkdmhukocn.co.uk | udp |
| US | 8.8.8.8:53 | ojuspfnvutuicb.info | udp |
| US | 8.8.8.8:53 | uxuisnxdpvjisu.com | udp |
| US | 8.8.8.8:53 | ikpayiimdutccr.net | udp |
| US | 8.8.8.8:53 | wgfhkdlkxcuuuu.biz | udp |
| US | 8.8.8.8:53 | ksayqxvtlbfoub.ru | udp |
| US | 8.8.8.8:53 | dkxkdjkebprosh.org | udp |
| US | 8.8.8.8:53 | eishuewsojratx.co.uk | udp |
| US | 8.8.8.8:53 | fsijuyxljvdbct.info | udp |
| US | 8.8.8.8:53 | gqdgmtkawpdmtw.com | udp |
| US | 8.8.8.8:53 | ytdqecscrwcuev.net | udp |
| US | 8.8.8.8:53 | arxnvwfqfqcgff.biz | udp |
| US | 8.8.8.8:53 | bcnpvrgjadnhgh.ru | udp |
| US | 8.8.8.8:53 | caimnmsxnwnsxd.org | udp |
| US | 8.8.8.8:53 | fqxvidcfqiifkl.co.uk | udp |
| US | 8.8.8.8:53 | sdsnouvrumbqkf.info | udp |
| US | 8.8.8.8:53 | gvirumwtptcnds.com | udp |
| US | 8.8.8.8:53 | tidjbeqgtxuyma.net | udp |
| US | 8.8.8.8:53 | dgdayvmqdyncdy.biz | udp |
| US | 8.8.8.8:53 | qsxrfngdhdgndl.ru | udp |
| US | 8.8.8.8:53 | elnvlfhfckhkdh.org | udp |
| US | 8.8.8.8:53 | rxinrwbrgoavmh.co.uk | udp |
| US | 8.8.8.8:53 | jmgetrwpsjjjha.info | udp |
| US | 8.8.8.8:53 | kkbbljskwibdyg.com | udp |
| US | 8.8.8.8:53 | krqagbrerudras.net | udp |
| US | 8.8.8.8:53 | lplwxsnyvtulbp.biz | udp |
| US | 8.8.8.8:53 | hclikkhbfaoglh.ru | udp |
| US | 8.8.8.8:53 | iagfccdvjygadg.org | udp |
| US | 8.8.8.8:53 | ihvewtcpeliolb.co.uk | udp |
| US | 8.8.8.8:53 | jfqbolxkikaimq.info | udp |
| US | 8.8.8.8:53 | tmqilxdmpkhfcu.com | udp |
| US | 8.8.8.8:53 | hylarsnvdjryly.net | udp |
| US | 8.8.8.8:53 | vubhdhxnqepieb.biz | udp |
| US | 8.8.8.8:53 | jhvyjciwedaceo.ru | udp |
| US | 8.8.8.8:53 | rcvmcqnxcbmcuf.org | udp |
| US | 8.8.8.8:53 | foqeilxhpawvec.co.uk | udp |
| US | 8.8.8.8:53 | tkgltaiyduufes.info | udp |
| US | 8.8.8.8:53 | hwbdausiqtfyey.com | udp |
| US | 8.8.8.8:53 | xiyqwmxlrlarcv.net | udp |
| US | 8.8.8.8:53 | ygtnohkaffaddm.biz | udp |
| US | 8.8.8.8:53 | aqjpovsmsfiuen.ru | udp |
| US | 8.8.8.8:53 | boemgqfbgyigvq.org | udp |
| US | 8.8.8.8:53 | vxeunfiwecfoga.co.uk | udp |
| US | 8.8.8.8:53 | wvyrfaulrvfahj.info | udp |
| US | 8.8.8.8:53 | xgotfodxfvnrpy.com | udp |
| US | 8.8.8.8:53 | yejqwjpmspndhu.net | udp |
| US | 8.8.8.8:53 | nhhriqojymtdlv.biz | udp |
| US | 8.8.8.8:53 | bridiiikwdwjlt.ru | udp |
| US | 8.8.8.8:53 | oifjvgckkqoclj.org | udp |
| US | 8.8.8.8:53 | jqmxjvngbwliwa.info | udp |
| US | 8.8.8.8:53 | wbnjjnhhynoowf.com | udp |
| US | 8.8.8.8:53 | krkpwlbhmbghpg.net | udp |
| US | 8.8.8.8:53 | xclbwduikrjnyc.biz | udp |
| US | 8.8.8.8:53 | vqpeggmtansqwc.ru | udp |
| US | 8.8.8.8:53 | wmqdqxiaxtffop.org | udp |
| US | 8.8.8.8:53 | xnouenvbjxaexf.info | udp |
| US | 8.8.8.8:53 | raukhllqcxkvwm.com | udp |
| US | 8.8.8.8:53 | svvjrdhwaewkoh.net | udp |
| US | 8.8.8.8:53 | sbscubyrncfuph.biz | udp |
| US | 8.8.8.8:53 | twtbfsuxlirjqp.ru | udp |
| US | 8.8.8.8:53 | tncgncxgrsfuxy.org | udp |
| US | 8.8.8.8:53 | hxdrnwibeoajhh.co.uk | udp |
| US | 8.8.8.8:53 | vrajerlnfmhhhl.info | udp |
| US | 8.8.8.8:53 | jcbuemviricvhg.com | udp |
| US | 8.8.8.8:53 | pwhmohwdtdwaja.net | udp |
| US | 8.8.8.8:53 | dhixochxgyrosp.biz | udp |
| US | 8.8.8.8:53 | rbfpfwkkhwymll.ru | udp |
| US | 8.8.8.8:53 | flgbfruftstbln.org | udp |
| US | 8.8.8.8:53 | cwkslrvcstvqgs.co.uk | udp |
| US | 8.8.8.8:53 | dslrvmifffqwhq.info | udp |
| US | 8.8.8.8:53 | ebivchjjgnxdpt.com | udp |
| US | 8.8.8.8:53 | fwjumcvmsysjhb.net | udp |
| US | 8.8.8.8:53 | xgpymwuyuenvga.biz | udp |
| US | 8.8.8.8:53 | ycqxwrhchpichf.ru | udp |
| US | 8.8.8.8:53 | akncdmigixpiia.org | udp |
| US | 8.8.8.8:53 | bgobnhujujkoao.co.uk | udp |
| US | 8.8.8.8:53 | ifixcteacbfxoo.info | udp |
| US | 8.8.8.8:53 | vpjjclxbarieom.com | udp |
| US | 8.8.8.8:53 | jggppdyohpfohh.net | udp |
| US | 8.8.8.8:53 | wqhbpuspfgiuqv.biz | udp |
| US | 8.8.8.8:53 | guncsybxamdvsu.ru | udp |
| US | 8.8.8.8:53 | tfonsquyxdgcsa.org | udp |
| US | 8.8.8.8:53 | hvltgivmfbdmso.co.uk | udp |
| US | 8.8.8.8:53 | ugmfgapndrgsck.info | udp |
| US | 8.8.8.8:53 | qoqkajckdcelab.com | udp |
| US | 8.8.8.8:53 | rkrjkbxqbiqaro.net | udp |
| US | 8.8.8.8:53 | rpocnswyiqecsi.biz | udp |
| US | 8.8.8.8:53 | slpbxksfgwqqtj.ru | udp |
| US | 8.8.8.8:53 | oevoqoyibncjsb.org | udp |
| US | 8.8.8.8:53 | pawnbguoytoxkv.co.uk | udp |
| US | 8.8.8.8:53 | pftgextwgccasj.info | udp |
| US | 8.8.8.8:53 | qbufoppdeiootr.com | udp |
| US | 8.8.8.8:53 | oldmhfntufvfld.net | udp |
| US | 8.8.8.8:53 | cvexhaxohbqtul.biz | udp |
| US | 8.8.8.8:53 | qpbpxoiucnsanu.ru | udp |
| US | 8.8.8.8:53 | eacbxjspojnonp.org | udp |
| US | 8.8.8.8:53 | mbiqxkkrsqtdpg.co.uk | udp |
| US | 8.8.8.8:53 | aljcxfumfmoryv.info | udp |
| US | 8.8.8.8:53 | ofgtotfsayqxyf.com | udp |
| US | 8.8.8.8:53 | cphfoopnmulmyh.net | udp |
| US | 8.8.8.8:53 | wulyfulpvgmbtd.biz | udp |
| US | 8.8.8.8:53 | xqmxppxsirhhub.ru | udp |
| US | 8.8.8.8:53 | yyjcvegqdojvvj.org | udp |
| US | 8.8.8.8:53 | aukbgystpaecnq.co.uk | udp |
| US | 8.8.8.8:53 | ukqdvaintrkyma.info | udp |
| US | 8.8.8.8:53 | vgrcguuqgdffnf.com | udp |
| US | 8.8.8.8:53 | woogmjdobahtvn.net | udp |
| US | 8.8.8.8:53 | xkpfweprnlcanc.biz | udp |
| US | 8.8.8.8:53 | xxujkwhdwopxmi.ru | udp |
| US | 8.8.8.8:53 | lkpywobefxjemn.org | udp |
| US | 8.8.8.8:53 | yysbxmueiskwmv.co.uk | udp |
| US | 8.8.8.8:53 | mlnqkeofqcedvr.info | udp |
| US | 8.8.8.8:53 | thaplppbnvaemt.com | udp |
| US | 8.8.8.8:53 | htufxhjcvftkmr.net | udp |
| US | 8.8.8.8:53 | uixhyfdcyaudfa.biz | udp |
| US | 8.8.8.8:53 | iuswlwwdhjojoo.ru | udp |
| US | 8.8.8.8:53 | ctdrvmbpprlemc.org | udp |
| US | 8.8.8.8:53 | drxmtewvxmooew.co.uk | udp |
| US | 8.8.8.8:53 | dubjjcoqbvgdme.info | udp |
| US | 8.8.8.8:53 | esvehtkwjqjnnm.com | udp |
| US | 8.8.8.8:53 | xdixwfjngyvkxt.net | udp |
| US | 8.8.8.8:53 | ybdsuwftotyuph.biz | udp |
| US | 8.8.8.8:53 | yegpkuwordqjqo.ru | udp |
| US | 8.8.8.8:53 | acbkimsuaxttrp.org | udp |
| US | 8.8.8.8:53 | eepxpiqajnuryy.co.uk | udp |
| US | 8.8.8.8:53 | rqkncdbusqscio.info | udp |
| US | 8.8.8.8:53 | ginbgxehwhweil.com | udp |
| US | 8.8.8.8:53 | tuiqssocgkuoin.net | udp |
| US | 8.8.8.8:53 | anueqbyxaufxyh.biz | udp |
| US | 8.8.8.8:53 | naptdvjsjxdiip.ru | udp |
| US | 8.8.8.8:53 | crshhqmfnohkbs.org | udp |
| US | 8.8.8.8:53 | penwtlwawrfubn.co.uk | udp |
| US | 8.8.8.8:53 | iaxgbxkxcqucvf.info | udp |
| US | 8.8.8.8:53 | jxsbyswblftiwk.com | udp |
| US | 8.8.8.8:53 | kevjrnxfpkwofg.net | udp |
| US | 8.8.8.8:53 | lcqepikiyyvuwu.biz | udp |
Files
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
| MD5 | 04fb36199787f2e3e2135611a38321eb |
| SHA1 | 65559245709fe98052eb284577f1fd61c01ad20d |
| SHA256 | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 |
| SHA512 | 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444 |