Malware Analysis Report

2024-11-30 14:12

Sample ID 241122-d88saazlhm
Target Batch_11.zip
SHA256 f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67
Tags
discovery upx defense_evasion persistence spyware stealer execution impact ransomware evasion xorist cryptolocker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67

Threat Level: Known bad

The file Batch_11.zip was found to be: Known bad.

Malicious Activity Summary

discovery upx defense_evasion persistence spyware stealer execution impact ransomware evasion xorist cryptolocker

Cryptolocker family

Modifies WinLogon for persistence

CryptoLocker

Xorist family

Detected Xorist Ransomware

Deletes shadow copies

Disables Task Manager via registry modification

Event Triggered Execution: Image File Execution Options Injection

Drops startup file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Enumerates connected drives

Blocklisted process makes network request

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

System policy modification

Modifies registry class

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies Control Panel

Kills process with taskkill

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 03:41

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist family

xorist

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

297s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe

"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w (2).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.torproject.org udp
US 204.8.99.146:443 www.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
US 204.8.99.144:443 dist.torproject.org tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 184.50.114.155:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.72.73.219:80 www.microsoft.com tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

290s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder.exe"

Network

N/A

Files

memory/2496-0-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2496-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2496-2-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2496-4-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20241023-en

Max time kernel

291s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wpbt0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbt0.exe" C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbt0.exe" C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wpbt0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\wpbt0.exe C:\Windows\SysWOW64\taskkill.exe
PID 2396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\wpbt0.exe C:\Windows\SysWOW64\taskkill.exe
PID 2396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\wpbt0.exe C:\Windows\SysWOW64\taskkill.exe
PID 2396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\wpbt0.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\wpbt0.exe

"C:\Users\Admin\AppData\Local\Temp\wpbt0.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

Network

N/A

Files

memory/2396-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2396-1-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

291s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\My program = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SonPw.exe.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows boot = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SonPw.exe.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C17F6321-A883-11EF-ABA3-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000006b7a5a22eb15a037c4bc5e217a1f17759d8d447c09d99b94d6715d7e4029c5f0000000000e8000000002000020000000b214df1e5651230dd2b2b10abcf35d780f52ee4ca67cfe685cd042a5e5aa23b620000000ae5ceed52329495130583d4bed93d840faf9f584f03d22030df2aebbb74bb2a6400000002cd1cd3f423950fcb4749a0c689391faf9005959aa1e28aa6329fb99ccacd3c11ca7bc43582f9ebde35fd23632f7a5319cdfc156bc049590e4a9f3f3b7c080c7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20749f9a903cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000219f4174a7c5e98310fe3a7992f7422a3b787cb33218475f584f02dc32442a8c000000000e8000000002000020000000a7fecc3b510aad24b11a2cc6ec81ebf4ffa42bcb6655fc12e10ef8e0660cf1a790000000e5302751a8a552dae757338d20bc900ee920f4dec7ef6b91239506028544596490ae31cb5227f93db8bf4162ae430a556dbd642caedf6b7372a5eeb79785eb1cf9021e9fba119a4d7265b8d8d29d19eb84a14ba212fdb084e7beb2af2bdf81a83a1d970a3d86c46d5e9585f876255072eca57dc202dfa021e9251f308f767bdb4a845903e7e53ba900e9787cbd0f773b40000000ffb6755116a2a64d2eb4ec7108adf9fa8903785776f0056c96dd571b81c1a33532db70ee2229c8e4c96c0c3e424f707809999d302c501e9abc9186f98ffe89bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408798" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
PID 2128 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3020 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2896 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video (2).exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://pornozud.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pornozud.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2128-0-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp

memory/2128-2-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/2128-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SonPw.exe.exe

MD5 0281bba49b8475542e9021eb64fbbbb3
SHA1 c5a1bce7918e88edcba692c6c54ff9bbd80ce2ed
SHA256 9a879fa5427056f857e48b62637b8653d46e29ffad34a5c5c15bf6bfa86bdc6a
SHA512 fb28dcd9f0b8d0a3b188510088e68351d09004bfcdd382853ac1052227461ba1ed95350e10db28605d6a8be57a484f7d30737d8f7b97b1c81885d60554c51cd6

memory/3020-9-0x0000000000230000-0x0000000000232000-memory.dmp

memory/3020-8-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3020-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2128-11-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/3020-14-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/3020-15-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3020-20-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3020-22-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/3020-21-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6E7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar766.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e17109b7122c69e2934eac349bc51ff5
SHA1 357d6c51c315aeebeae21523bdf38ca01befe06a
SHA256 62e5de4c92a24dd86c5d38ce92ad6bfe086e28655e0ed9bcaab85ca8bd5070d1
SHA512 0cf2ea2ac0ddf3c512e6dad48d2f3aeb4d41e45bde88ff015c00f971c889f8db955aee4c2131e63ccfe070e234d9212aeb8131ce57149dc1e09438d0faa21c22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85a53d326013836810473cdc953a7d3d
SHA1 0389b0c8faf1f6ebbf8192a54771504979f121f1
SHA256 58c3a5480e3c7bcfa6aadb0136dac3716d77b047bbad289085b328c73835e35f
SHA512 297630aab8b120ccd959f2d170c2ec4df628a5164ddcde54dbc3d467582c46bc9cf22fd144c88b0d70d5748b533d49aed7ab45a9f293ffba133365f5f70dc908

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e97731cdb7cba212f570f3b924d6eee
SHA1 66843a0b945bd935b8c663caa3464e190910e189
SHA256 e26e1237f20f22ef2f8f90bc80977ef5b560b96af431e0c55063be8b3114d036
SHA512 6f7baa3fd44f3934de4efe2103c2d461aad259b5889a74bb0f3abff451d46e22455e030621293508d1c6defe69e500ee6f436589e72f7d5a990944fb21dfb5be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9099dbf2a8b34fe07f9076ca5bd5a5ec
SHA1 a2dfdc82283b66c3274ce160836b6a845d79fc59
SHA256 9fb261a3c9f8ee7581b6c2cb34025dab1def6510c7b0a49ac49894ba1d5102ec
SHA512 93f62c4b2f399ad73742440e6b643c7d5f71bb0ba68641515566f6577ba2c378f3e33b0e60041ad5097f31e7ad182a3a2d431e4e4fd92575184303c102381cc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34662da50b6d37f49e2a41c442716ad0
SHA1 bed970f9eac4497ce586875e3128c673fadf4761
SHA256 ff9f5a32d3d849948f7239fe21965c1177f3f716dcad3fafd975604e54012d04
SHA512 174ff780f8dd2d9ea40af9408cfa21e80f96d6ae168aed792dae60f2eaa7b04754a514131fb0ce251175cf1b547324f4bb144a509dc154719fa9864ef2b0aa7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a56df85294ba6506360ddaf172dd425c
SHA1 be83327ddc5f21516b43bfcaa9a47c2d12c2ac54
SHA256 966e76a83a54b0806369ea352197198b1e99c059ab189a263ce916de802cabb8
SHA512 b4067c8ce47410e6d37474dfd2549725eda62b9ebf3f7345d71d63daf46b16c1ccb7c5fb5cf3a84768d11d692d5498e6ca42f1b06c3c4d0c7c9bd9d6629d274f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a8674df2c7682fa4ad68ff748f2b9bf
SHA1 55bf445953809569e64c267fab9647ef9cd66827
SHA256 8908d7b0478f06de83c26bb02f7cff7149ec0065384698390e492b760ede7c0f
SHA512 fc7415c6d62a3b75b2802ac1f29dfc67e085bda538349d4520df87e7c88c6a424bce747792b8bbac73e00c79a1834cd94f73e12a03371d3420db027cced06ccb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 787fdfd8f610b47c073d396d3eae77f8
SHA1 85de174c29f3e7c0eccc9dcb77df1c33167cb2dd
SHA256 01d507a4fbd8c746e4034c09d54d6f8eab7a5ca0e2e039bd24abfa831c8d4505
SHA512 6c2a850e397e739d42abac79c9b28c459009a604fb113fd4b2055c6f6a470f67c304a01862503731e43c9f7d4fe74ae68adfccc3e2c64aad6f6925f0ef1a841e

memory/3020-451-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3020-452-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c1be225227178c8a9b59a5e7a28ee9c
SHA1 39bba66551770e621bc748d95a86ebc3a43d31cb
SHA256 7005735e26dee11a98808f5f87c0e5ac477137ea63b5ba556c7f5ac366ff2794
SHA512 d4c82c484b1f0a3a4637a37d6c42666f3d886910c188a6ef2851c9d2f5c7019d742a75e39f0675b51552e9b1e4506aac66077b4e1afb743bc7fc0adc33db74ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d5e69eca229fae2cc44056f7229d456
SHA1 1b2faf5d45197cfff96813ebca33409c20f6e396
SHA256 8986b32bf58efb32d4f54e002fa952e3d5611b55bba41fabe91bc4c22b1ed00b
SHA512 065251979773b763865887c8463137a35140a911dd0a212b37f1d4e314b25c64e728c3ad14e70ac16384fb99ceb40be819f6d2ad0fc62c6999c9bcd6e4645bb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c6dd648a159c60f2350f7052b2938aa
SHA1 3dc76e616e2e838ac8ff16ba8df2a3e063b114c0
SHA256 ef9968e025f323582a886fe392b2573508e42ef520de1ceac6926ed0d039079f
SHA512 dca001af6a3237cc96232a3040d940ee1f6d8183ebb36b3d0d38463a38d5854069ec7a55da2820c53f644e540bee931a4b10522b8798acb9d45d0f6ddb3a06d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89faa91deac287b4d74d09a050069d26
SHA1 94390f97985366a611974a553c5d583804dea6fd
SHA256 d7eb9d4dfbe60cbb099ef6314fb02356e0d288e4bb826549e57cc49e9ebb5079
SHA512 e2f4070b3210a7d3bf9feb919e4760dbacc13a61df9d2111a754d5edffa22eb10c4ec3ec89e138367fe1d3584b610197b7be1ee2a077732ba586c42559f72c1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20a0a2c62a52e89146d561261225f5e5
SHA1 3f303f5129327b32d560dd8aba7da2e3e844d5ce
SHA256 f065823733b11ba6b6b0d042277c56eb34168ca5d7a298236487dbb91fc052d6
SHA512 8c6a52008f7e092936938a954852c5aae631f21783c3867fe7805fa3e7cd8affbc2c660a82ee68823b79d27ef994f591ca7149faf11f2ce10adc25408dcb6f6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 523f5e68a83770561d7c42b1ea0f043a
SHA1 077b7dbc597449d76951a0e8a7fbf704494b2434
SHA256 d3edfda4e62db47234d888a9b9b9cbae2c9bdb7e38b6ecdda350b9bb68766848
SHA512 1c7d64725c7eed9b6642be477eb5aceb839346b63405793a3625cf495dff6e313287414a56ecc4e70056a0fa03ecf43c9a2aeb1f12cdb3c7b809ab819c98093b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b97632f17dd56cc900bda2bf12f0d60
SHA1 ac3e9f3f9c2d51a1ed4a773c4d633d0234d0e44b
SHA256 41a682d3aa0f142900f46603fa7bcb5d5e6f9550a49ebd66757b0fae9351d6ca
SHA512 f47ce771e3be7a405af4f8dbbd7b3c960a235b6630bbc15478b85f9a0640ea24e1731a99b7b2701320b90864ad6baafa76862fe36f762214d2b92861a943adc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b84f311b67c343093991aface6b46f92
SHA1 969f3afaa8a91fc903687a2cd00d2b5ba35c68c7
SHA256 472fcc5ad8548e49237d7437f3f706d2e4d0d8055c9ed7887c3002515b69f28a
SHA512 f3f3d5c463e7580abaa333d6988249699c15c65351e3b2f24ecc79a6ba870d91a8a73834c53f529de51e8953ed60826f79e6becfc15cea5b36273089fd37e25a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f16ede81f91225a09368ea355f54745
SHA1 40e7c6532c232c9b031387752b41155ca0d50cf9
SHA256 6bb53893a7bb1c3edfe1da14e416fb3f971c86d47fe9dfa92a92ce64f1b8180b
SHA512 ad724ba5aed703989efee87b317a73c55f0f94b1d3f423bb8fc38de275a9dea18d40c19df9c4873510473ffe58f76e4f24eb90ea7ef1e8e7fa63a43ebeaea9f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34da3421c518d6623e747886984af2c0
SHA1 a2da535a257c34ed20fcc5db5f1cf4b16d2506be
SHA256 7ef05d3032100e06709ced85d56e845e4c783add156e520f6444c0b6b1c18111
SHA512 151ac521931d090c8e090b989f1c528f7f82ff23edc76b15107b224a7ce9f9feb92cb91b3d28fef553364d8caea2f480c434106928cb8c67084de7c7b40579ef

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

290s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_87279.avi.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89164902338" C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_87279.avi.exe.vir.exe"

Network

N/A

Files

C:\Windows\win.ini

MD5 c9546ac0af035fd095164c1e36171f54
SHA1 c715ed1a3c583fe7deb5cf2f697e62b9376bd5dd
SHA256 066d191cf79e0ed307e8c3e4de878a40b824053231f0758639ccc71093e61d71
SHA512 af85d528dcbea912708164750ea846e7e59781383bbb9ff83d8ba1e788c81fdfb8bdeeb7d690dd14b76bb840445058e155d9ad6f6ec4d9ab4c2ef5a3545ea4cd

memory/2420-103-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2420-102-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2420-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2420-104-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20241010-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe

"C:\Users\Admin\AppData\Local\Temp\WcsPlugInService.ex.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 268

Network

N/A

Files

memory/2556-0-0x0000000000810000-0x0000000000849000-memory.dmp

memory/2556-1-0x00000000001A0000-0x00000000001B9000-memory.dmp

memory/2556-2-0x0000000000280000-0x0000000000295000-memory.dmp

memory/2556-8-0x0000000000280000-0x0000000000295000-memory.dmp

memory/2564-13-0x00000000005F0000-0x0000000000604000-memory.dmp

memory/2564-14-0x00000000005F0000-0x0000000000604000-memory.dmp

memory/2556-12-0x0000000000810000-0x0000000000849000-memory.dmp

memory/2564-16-0x00000000005F0000-0x0000000000604000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe

"C:\Users\Admin\AppData\Local\Temp\w8i9eHkHOwWwQlX.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20241010-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\xxx_video.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video.exe"

C:\Users\Admin\AppData\Local\Temp\xxx_video.exe

C:\Users\Admin\AppData\Local\Temp\xxx_video.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 106.209.245.63.in-addr.arpa udp

Files

memory/804-1-0x0000000000230000-0x0000000000276000-memory.dmp

memory/804-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/804-2-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240729-en

Max time kernel

290s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi.exe.vir.exe"

Network

N/A

Files

memory/2684-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2684-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-4-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-6-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-7-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-12-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-15-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-22-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-23-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-25-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-26-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-29-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-30-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-32-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-33-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

193s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zcrypt.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zcrypt.lnk C:\Users\Admin\AppData\Local\Temp\zcrypt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zcrypt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zcrypt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\zcrypt.exe\" " C:\Users\Admin\AppData\Local\Temp\zcrypt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zcrypt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\zcrypt.exe

"C:\Users\Admin\AppData\Local\Temp\zcrypt.exe"

C:\Users\Admin\AppData\Roaming\zcrypt.exe

C:\Users\Admin\AppData\Roaming\zcrypt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 poiuytrewq.ml udp

Files

C:\Users\Admin\AppData\Roaming\zcrypt.exe

MD5 d1e75b274211a78d9c5d38c8ff2e1778
SHA1 d14954a7b9e0c778909fe8dcad99ad4120365b2e
SHA256 bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f
SHA512 1ec3fbb0bf17d4ad6397ba2e58daa210745f10f88f6722971464a6eeb7573f49be6d65e70a497002d6d00745317f11442bdeaf999b91127b123c11dfe9b088c2

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240729-en

Max time kernel

239s

Max time network

245s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Video CodeC X\Video CodeC X\bsoderror.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI800C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777ec4.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8241.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8252.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777ec1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F8D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7FFB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI804B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI807B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI840B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777ec6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777ec4.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777ec1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8231.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\you to.job C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8489.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7F1F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8291.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8300.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductName = "Video CodeC X" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\PackageCode = "6363F740F6E08EF4E84656D164D38A57" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Version = "33554432" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\PackageName = "Video CodeC X.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2\FCED1D0ECE001664C8855C70F9C1FBFA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductIcon = "C:\\Windows\\Installer\\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\\_itunes.exe" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2744 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe C:\Windows\SysWOW64\msiexec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2780 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe

"C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A371761743DBC15E96271C54860029AD

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B6D96334DC12DB8986BA5F9FD9ADA77D M Global\MSI0000

Network

Country Destination Domain Proto
US 8.8.8.8:53 collect.installeranalytics.com udp
US 3.214.180.211:80 collect.installeranalytics.com tcp

Files

C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi

MD5 5a62fc6cb914c167550b337e86e8a933
SHA1 7a6bf8f179aed33057a694966b45a7928f1698b7
SHA256 f32c666abd8d50bce93391840de7c8d9969b75d42aea3bee61d68be411e3ffe3
SHA512 6a64db837e86eed6b2227b6e3df35a1f9f761cac890ea1475a1c42ec4c511bd3a622737ccfd133a5682c0ca226d046dfb60140c7001be40c574e41f10df396b9

C:\Windows\Installer\MSI7F1F.tmp

MD5 d552dd4108b5665d306b4a8bd6083dde
SHA1 dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256 a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512 e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session

MD5 4f73357193d931dbf175b646b6b5c575
SHA1 b6894eac93880c243183f7889c345919c96e23ca
SHA256 848749dcaceab691b4b780defe10585fa64290c808f70e8fc9064fc9f8c60768
SHA512 cbc7c62c72c38ff06a930e888ead651d763b84ad66bf56e3f79ee65d74a30bc80ff9f5de3c3f96ab0295302bb2e9010594ac1645ca44c3d6694481235f316499

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session

MD5 45bd98cae8012556fb923b213ca5b6ab
SHA1 e5b312a296e5d2d8e0bdc83c6b50c35f33c5241d
SHA256 7c5b06ac1c9fa199e28e89368dbad06cee810829c70bd99cae47cdf567a9009d
SHA512 3037cefc932b4c43cec201a4c6fe352f694d050431b369f8631b60882d37432cc8280f9545e3989b46e356d15057473abbeff4ef776eecb9bd25ccbcb834380d

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session

MD5 7f02fb2ec3410cadf13d8d7ccce01433
SHA1 d74ddea7609fc992a2ebed415cb7fc590451dd58
SHA256 3d1c3f2062ecfeff0311ebcf423a314ead96ad6a8c4043f066c430051b0b07f2
SHA512 72e1e64c5cd16b143c03b571153346c5981cdb16189a299b45ebb8a17e631ef9639ab84b99e7f8a181f9a2e7acb62f362d96a6dee851de332fae93200a934f29

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session

MD5 3fef2d800f6c98295e8902e2616aaa7b
SHA1 055b8cb676b8c86548d53b0db3cbfe6561c192c6
SHA256 95006281c914e9cac887adf4114705b78d5070dc67ae2f3597527d519485f783
SHA512 e30c93d2405a2cf237648c56bfd251c3a8e114fa0de8e90b30480c7eb6ff376c63b49c21c1f7b1062962a515288653bc82364ed14241817498052467aa1cd7a7

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{35458323-09E8-4F03-9824-3C4D544AEB88}.session

MD5 c84d162b3f035c6864b02b9b0da3085c
SHA1 0cc6540955d144bcac1827e070af2b408680ffff
SHA256 a52a02af44a1eb9260e84f6048c45beb1cd42a372a62ea3fac2fd3493cc58245
SHA512 693a98f4022d6f831ad4dfd56c484e1c0abdea8bb869d9d258c9bbb8daa8dacac1a87cb43187a05795ec56b2b8afe1ff09dfef0301b0c3cf63e172a8fcb5d8b9

C:\Windows\Installer\MSI7FFB.tmp

MD5 4083cb0f45a747d8e8ab0d3e060616f2
SHA1 dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA512 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini

MD5 89535309d6c3041f621b2061507b21fa
SHA1 2a4a7d7a58a077bb789fecb313de22211952edbe
SHA256 64800ab14a58d7062d669dac34018a2e5e5cdd250fade664ccd2d78be5733d1c
SHA512 a50ee82cac21715b7d7e77154a2fe0598690a35ccb76b190413ca886481be92dd012a4e34a6cdc6d60ba70be9028995719596c2c3750e12a5e96bba4be1ae5bf

C:\Windows\Installer\MSI8241.tmp

MD5 3cab78d0dc84883be2335788d387601e
SHA1 14745df9595f190008c7e5c190660361f998d824
SHA256 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512 df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

C:\Windows\Installer\MSI8252.tmp

MD5 7e6b88f7bb59ec4573711255f60656b5
SHA1 5e7a159825a2d2cb263a161e247e9db93454d4f6
SHA256 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

C:\Windows\Installer\MSI8291.tmp

MD5 aa82345a8f360804ea1d8d935f0377aa
SHA1 c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA256 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512 c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\bsoderror.exe

MD5 ea3ad4540a9411f051d52788dde2cb53
SHA1 641e87b35a4d31d41a1bb842190e6cd830ddea63
SHA256 3b5d9aadfdb9c1257ef84e33cdad67cd818334ec8fd40e0968b8b71e2a0eef95
SHA512 2f39c3caaf28b2ca592f6268ae0750fa36ecf9eeceaf3a1846162914129a794c0c0224cc7e6c6e55cc2f0b65a18d3e2c1c9bc86252799635e22f4c50ce196c33

C:\Config.Msi\f777ec5.rbs

MD5 0e49666f6aec36e92453cb4e41f749f5
SHA1 b54cd4ebccacf282facfecbe3616df59876408b7
SHA256 4a96551895ea83c53f561774818a33f4044514a2923954bf54ee8b1ec006cec3
SHA512 8c20f2dfd52613b12b3cab05088bd02414b3f8fc9ef4692535440809972d5792f1ece5cfd1dfe46aba6f430586fc6ceff18ae22f961fe9dcc7d81af6363ed5e0

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini

MD5 662bd174aba9542274222f4768bac369
SHA1 8ed7282c153b614bad1a2ca52c53cc31d8463d7d
SHA256 08ddd333275f10ed3d23c2be72d4bcbdd7a30638e181b1afecb85414fdef6d8c
SHA512 56243ebfa3444b656dbd822c89b9f8157c99ca9493a52691676d7f1122b2c49b59af5ac51f319dfe000f950d0602774a4382526fc075c6a34f7f8fadf4b0f06c

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

290s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder.exe"

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2644-1-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2644-2-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2644-4-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

271s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c12c0c1.exe C:\Windows\syswow64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c = "C:\\c12c0c1\\c12c0c1.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c = "C:\\c12c0c1\\c12c0c1.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\c12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" C:\Windows\syswow64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*12c0c1 = "C:\\Users\\Admin\\AppData\\Roaming\\c12c0c1.exe" C:\Windows\syswow64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\syswow64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\explorer.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe N/A
N/A N/A C:\Windows\syswow64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe

"C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"

C:\Windows\syswow64\explorer.exe

"C:\Windows\syswow64\explorer.exe"

C:\Windows\syswow64\svchost.exe

-k netsvcs

C:\Windows\syswow64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 machetesraka.com udp
US 8.8.8.8:53 markizasamvel.com udp
US 8.8.8.8:53 armianazerbaijan.com udp

Files

memory/2848-1-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2848-0-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2576-5-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2848-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2848-7-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2576-8-0x0000000000080000-0x00000000000A0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vmem02.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vmem02.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vmem02.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\vmem02.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\vmem02.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\vmem02.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\vmem02.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\vmem02.exe

"C:\Users\Admin\AppData\Local\Temp\vmem02.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 88

Network

N/A

Files

memory/2180-0-0x00000000011F0000-0x0000000001203DD1-memory.dmp

memory/2180-1-0x00000000011F0000-0x0000000001203DD1-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

290s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_26726.avi.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89104011106" C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_26726.avi.exe"

Network

N/A

Files

memory/2936-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2936-2-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2936-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2936-3-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240708-en

Max time kernel

290s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi_unpacked_.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_35942.avi_unpacked_.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_35942.avi_unpacked_.exe.vir.exe"

Network

N/A

Files

memory/2492-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-1-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-2-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-3-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-5-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-22-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-23-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-24-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-25-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-26-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-27-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-28-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-29-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20241010-en

Max time kernel

295s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_77498.avi.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe N/A

Disables Task Manager via registry modification

evasion

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_77498.avi.exe"

Network

N/A

Files

memory/2224-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2224-1-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2224-8-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

297s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe

"C:\Users\Admin\AppData\Local\Temp\VSNKLGuzoFJgFHyEI15w.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.torproject.org udp
DE 116.202.120.165:443 www.torproject.org tcp
US 8.8.8.8:53 dist.torproject.org udp
DE 116.202.120.166:443 dist.torproject.org tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 184.50.114.155:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.72.73.219:80 www.microsoft.com tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:42

Platform

win7-20240708-en

Max time kernel

7s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\2509819211\2509819211.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\2509819211 = "C:\\Users\\Admin\\2509819211\\2509819211.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2509819211_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xpiofrbtkzhr.exe\"" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\2509819211\2509819211.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveActive = "0" C:\Users\Admin\2509819211\2509819211.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\2509819211\2509819211.exe N/A
N/A N/A C:\Users\Admin\2509819211\2509819211.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3060 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Users\Admin\2509819211\2509819211.exe
PID 3060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Users\Admin\2509819211\2509819211.exe
PID 3060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Users\Admin\2509819211\2509819211.exe
PID 3060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Users\Admin\2509819211\2509819211.exe
PID 2760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3060 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\shutdown.exe
PID 3060 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\shutdown.exe
PID 3060 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\shutdown.exe
PID 3060 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe C:\Windows\SysWOW64\shutdown.exe
PID 2748 wrote to memory of 548 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 548 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 548 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 548 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2028 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2028 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2028 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2028 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2660 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2660 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2660 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2660 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2580 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2580 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2580 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe
PID 2748 wrote to memory of 2580 N/A C:\Users\Admin\2509819211\2509819211.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe

"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2509819211 /t REG_SZ /d "C:\Users\Admin\2509819211\2509819211.exe" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2509819211 /t REG_SZ /d "C:\Users\Admin\2509819211\2509819211.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2509819211_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe\"" /f

C:\Users\Admin\2509819211\2509819211.exe

"C:\Users\Admin\2509819211\2509819211.exe" f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2509819211_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\xpiofrbtkzhr.exe\"" /f

C:\Windows\SysWOW64\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /f /t 4

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/3060-1-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3060-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2748-18-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-17-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-16-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-15-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-14-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-12-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-11-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2748-106-0x0000000000170000-0x0000000000171000-memory.dmp

C:\Users\Admin\2509819211\2509819211.exe

MD5 8ce930987752f9790864543b6da34317
SHA1 7d89ae64e1dae59e8e85749b875aa712a4fc5e36
SHA256 5bce08b97565564ccdebec5b9c45ac680e0b3f01ddde2461f1dff4a9bbe50836
SHA512 456c1eb90d51145a785ee47c15d49b0bc9ce9a14f636bbac69e4df19fb2ab8b6e4f785657797042561e0d12e237fc223537220493d9a4ef3f1b29cda373fb65d

memory/2748-55-0x0000000000150000-0x0000000000151000-memory.dmp

memory/3060-376-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

290s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxx_video_73240.avi____.exe.vir.exe" C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\startingp = "89162981497" C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe

"C:\Users\Admin\AppData\Local\Temp\xxx_video_73240.avi____.exe.vir.exe"

Network

N/A

Files

memory/2100-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2100-1-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-22 03:41

Reported

2024-11-22 03:47

Platform

win7-20240903-en

Max time kernel

300s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2904 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2384 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2384 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2384 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2384 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Processes

C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe

"C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8

Network

Country Destination Domain Proto
US 184.164.136.134:80 tcp
US 8.8.8.8:53 dvciafgmxqbqdgc.info udp
US 8.8.8.8:53 rnfartqpncqtvlb.com udp
US 8.8.8.8:53 faapeobkwfoevni.net udp
US 8.8.8.8:53 nhlngdgdlsllmeg.biz udp
US 8.8.8.8:53 btgdsxqxuvjvvmj.ru udp
US 8.8.8.8:53 pljukmbbkhyyvau.org udp
US 8.8.8.8:53 dxekwhlvtkwjvug.co.uk udp
US 8.8.8.8:53 tfpbyapphqdqqdp.info udp
US 8.8.8.8:53 udkvwucsqfcwriw.com udp
US 8.8.8.8:53 vjnidjkngfqesmv.net udp
US 8.8.8.8:53 whidbewqptpkkbu.biz udp
US 8.8.8.8:53 rdtvrsabevlvukl.ru udp
US 8.8.8.8:53 sboqpnmenkkcviw.org udp
US 8.8.8.8:53 thrdvcuydkyjeui.co.uk udp
US 8.8.8.8:53 ufmxtwhcmyxpvcl.info udp
US 8.8.8.8:53 acjxmtancumeux.com udp
US 8.8.8.8:53 nmklgltavpetuk.net udp
US 8.8.8.8:53 bhttyjnoioddua.biz udp
US 8.8.8.8:53 oruhsbhbcjusea.ru udp
US 8.8.8.8:53 vloenyykefejgc.org udp
US 8.8.8.8:53 jvprhqswxavygv.co.uk udp
US 8.8.8.8:53 wqyaaomlkyuiyw.info udp
US 8.8.8.8:53 kbantggxetmxie.com udp
US 8.8.8.8:53 ilrkkiqwmdgtds.net udp
US 8.8.8.8:53 jhsloamrgernur.biz udp
US 8.8.8.8:53 jqcgwxexswwsdg.ru udp
US 8.8.8.8:53 kmdhbpasmximev.org udp
US 8.8.8.8:53 euwqlnptonxydd.co.uk udp
US 8.8.8.8:53 fqxrpfloiojsuj.info udp
US 8.8.8.8:53 fahmxdduuhoxvj.com udp
US 8.8.8.8:53 gvincuypoiarwg.net udp
US 8.8.8.8:53 oxckpobxhccycg.biz udp
US 8.8.8.8:53 cidxjjlhxdxsld.ru udp
US 8.8.8.8:53 qgmjheofpinllh.org udp
US 8.8.8.8:53 eqnwbyyogjjfln.co.uk udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 xriekokeanpxwl.com udp
US 8.8.8.8:53 mprpijncrsfqph.net udp
US 8.8.8.8:53 aasdcexlitbkpu.biz udp
US 8.8.8.8:53 whkwndrvrkasno.ru udp
US 8.8.8.8:53 xdlxrxekirhiox.org udp
US 8.8.8.8:53 ypuvfsfdaqlfwb.co.uk udp
US 8.8.8.8:53 alvwjnrrqxsuow.info udp
US 8.8.8.8:53 sqpdoiqsturxnv.com udp
US 8.8.8.8:53 tmqesddhkcynom.net udp
US 8.8.8.8:53 uyacgxeacbdkph.biz udp
US 8.8.8.8:53 vubdksqosikahk.ru udp
US 8.8.8.8:53 uakegwpessydxp.org udp
US 8.8.8.8:53 iklraojqmnqsxc.co.uk udp
US 8.8.8.8:53 vfuasgksreslqw.info udp
US 8.8.8.8:53 jpvnmxeflykbaw.com udp
US 8.8.8.8:53 sppiwcmcqewbcv.net udp
US 8.8.8.8:53 gaqvqtgokyoqcp.biz udp
US 8.8.8.8:53 tuaejlhqppqjce.ru udp
US 8.8.8.8:53 hfbrddbdjkiyll.org udp
US 8.8.8.8:53 djsqelgndbssgq.co.uk udp
US 8.8.8.8:53 eftridciwcemxp.info udp
US 8.8.8.8:53 eodmqubccmmbyj.com udp
US 8.8.8.8:53 fkenumwwvnxuay.net udp
US 8.8.8.8:53 byxuuqdlbmqqyq.biz udp
US 8.8.8.8:53 cuyvyiygunckqw.ru udp
US 8.8.8.8:53 ceiqhaxaaxkyyk.org udp
US 8.8.8.8:53 dajrlrtutyvsah.co.uk udp
US 8.8.8.8:53 jvdqjrqlxcrfpl.info udp
US 8.8.8.8:53 wgeedmbuodnyyi.com udp
US 8.8.8.8:53 lenpbblmyvairr.net udp
US 8.8.8.8:53 yooduvvvpwvcrx.biz udp
US 8.8.8.8:53 hliuawnjvnpdto.ru udp
US 8.8.8.8:53 uvjitrxsmolwds.org udp
US 8.8.8.8:53 jtstrgikwhxgdc.co.uk udp
US 8.8.8.8:53 wethlbstnitadp.info udp
US 8.8.8.8:53 rfldhghjikpyba.com udp
US 8.8.8.8:53 sbmelbtxyrwocj.net udp
US 8.8.8.8:53 tnvcypckjexcdr.biz udp
US 8.8.8.8:53 ujwddkoyalfrun.ru udp
US 8.8.8.8:53 puqhxlehgvnwtw.org udp
US 8.8.8.8:53 qqricgqvwdumun.co.uk udp
US 8.8.8.8:53 rdbgpuyihpvadv.info udp
US 8.8.8.8:53 sychtplwxwdpuy.com udp
US 8.8.8.8:53 kswpoaouaodjlq.net udp
US 8.8.8.8:53 xfrhurihesvulk.biz udp
US 8.8.8.8:53 lxhlbpcvgitils.ru udp
US 8.8.8.8:53 ykcdhhvikmmtua.org udp
US 8.8.8.8:53 gccvpswsqvnplc.co.uk udp
US 8.8.8.8:53 townvkqfuagblo.info udp
US 8.8.8.8:53 hhmrciktwpeoew.com udp
US 8.8.8.8:53 uthjiaegbtwanw.net udp
US 8.8.8.8:53 oofxaojfcpeniy.biz udp
US 8.8.8.8:53 pmaurgfagovhaf.ru udp
US 8.8.8.8:53 ptptmewgijumim.org udp
US 8.8.8.8:53 qrkqevsbmimgjj.co.uk udp
US 8.8.8.8:53 kxkebhrdswottq.info udp
US 8.8.8.8:53 lvfbsynxwvgnlp.com udp
US 8.8.8.8:53 lduanwfeyqfsmw.net udp
US 8.8.8.8:53 mbpwfobydpwmnm.biz udp
US 8.8.8.8:53 yopcrupfyoycsm.ru udp
US 8.8.8.8:53 mbktxpaomnjvcq.org udp
US 8.8.8.8:53 bwabjkdmhukocn.co.uk udp
US 8.8.8.8:53 ojuspfnvutuicb.info udp
US 8.8.8.8:53 uxuisnxdpvjisu.com udp
US 8.8.8.8:53 ikpayiimdutccr.net udp
US 8.8.8.8:53 wgfhkdlkxcuuuu.biz udp
US 8.8.8.8:53 ksayqxvtlbfoub.ru udp
US 8.8.8.8:53 dkxkdjkebprosh.org udp
US 8.8.8.8:53 eishuewsojratx.co.uk udp
US 8.8.8.8:53 fsijuyxljvdbct.info udp
US 8.8.8.8:53 gqdgmtkawpdmtw.com udp
US 8.8.8.8:53 ytdqecscrwcuev.net udp
US 8.8.8.8:53 arxnvwfqfqcgff.biz udp
US 8.8.8.8:53 bcnpvrgjadnhgh.ru udp
US 8.8.8.8:53 caimnmsxnwnsxd.org udp
US 8.8.8.8:53 fqxvidcfqiifkl.co.uk udp
US 8.8.8.8:53 sdsnouvrumbqkf.info udp
US 8.8.8.8:53 gvirumwtptcnds.com udp
US 8.8.8.8:53 tidjbeqgtxuyma.net udp
US 8.8.8.8:53 dgdayvmqdyncdy.biz udp
US 8.8.8.8:53 qsxrfngdhdgndl.ru udp
US 8.8.8.8:53 elnvlfhfckhkdh.org udp
US 8.8.8.8:53 rxinrwbrgoavmh.co.uk udp
US 8.8.8.8:53 jmgetrwpsjjjha.info udp
US 8.8.8.8:53 kkbbljskwibdyg.com udp
US 8.8.8.8:53 krqagbrerudras.net udp
US 8.8.8.8:53 lplwxsnyvtulbp.biz udp
US 8.8.8.8:53 hclikkhbfaoglh.ru udp
US 8.8.8.8:53 iagfccdvjygadg.org udp
US 8.8.8.8:53 ihvewtcpeliolb.co.uk udp
US 8.8.8.8:53 jfqbolxkikaimq.info udp
US 8.8.8.8:53 tmqilxdmpkhfcu.com udp
US 8.8.8.8:53 hylarsnvdjryly.net udp
US 8.8.8.8:53 vubhdhxnqepieb.biz udp
US 8.8.8.8:53 jhvyjciwedaceo.ru udp
US 8.8.8.8:53 rcvmcqnxcbmcuf.org udp
US 8.8.8.8:53 foqeilxhpawvec.co.uk udp
US 8.8.8.8:53 tkgltaiyduufes.info udp
US 8.8.8.8:53 hwbdausiqtfyey.com udp
US 8.8.8.8:53 xiyqwmxlrlarcv.net udp
US 8.8.8.8:53 ygtnohkaffaddm.biz udp
US 8.8.8.8:53 aqjpovsmsfiuen.ru udp
US 8.8.8.8:53 boemgqfbgyigvq.org udp
US 8.8.8.8:53 vxeunfiwecfoga.co.uk udp
US 8.8.8.8:53 wvyrfaulrvfahj.info udp
US 8.8.8.8:53 xgotfodxfvnrpy.com udp
US 8.8.8.8:53 yejqwjpmspndhu.net udp
US 8.8.8.8:53 nhhriqojymtdlv.biz udp
US 8.8.8.8:53 bridiiikwdwjlt.ru udp
US 8.8.8.8:53 oifjvgckkqoclj.org udp
US 8.8.8.8:53 jqmxjvngbwliwa.info udp
US 8.8.8.8:53 wbnjjnhhynoowf.com udp
US 8.8.8.8:53 krkpwlbhmbghpg.net udp
US 8.8.8.8:53 xclbwduikrjnyc.biz udp
US 8.8.8.8:53 vqpeggmtansqwc.ru udp
US 8.8.8.8:53 wmqdqxiaxtffop.org udp
US 8.8.8.8:53 xnouenvbjxaexf.info udp
US 8.8.8.8:53 raukhllqcxkvwm.com udp
US 8.8.8.8:53 svvjrdhwaewkoh.net udp
US 8.8.8.8:53 sbscubyrncfuph.biz udp
US 8.8.8.8:53 twtbfsuxlirjqp.ru udp
US 8.8.8.8:53 tncgncxgrsfuxy.org udp
US 8.8.8.8:53 hxdrnwibeoajhh.co.uk udp
US 8.8.8.8:53 vrajerlnfmhhhl.info udp
US 8.8.8.8:53 jcbuemviricvhg.com udp
US 8.8.8.8:53 pwhmohwdtdwaja.net udp
US 8.8.8.8:53 dhixochxgyrosp.biz udp
US 8.8.8.8:53 rbfpfwkkhwymll.ru udp
US 8.8.8.8:53 flgbfruftstbln.org udp
US 8.8.8.8:53 cwkslrvcstvqgs.co.uk udp
US 8.8.8.8:53 dslrvmifffqwhq.info udp
US 8.8.8.8:53 ebivchjjgnxdpt.com udp
US 8.8.8.8:53 fwjumcvmsysjhb.net udp
US 8.8.8.8:53 xgpymwuyuenvga.biz udp
US 8.8.8.8:53 ycqxwrhchpichf.ru udp
US 8.8.8.8:53 akncdmigixpiia.org udp
US 8.8.8.8:53 bgobnhujujkoao.co.uk udp
US 8.8.8.8:53 ifixcteacbfxoo.info udp
US 8.8.8.8:53 vpjjclxbarieom.com udp
US 8.8.8.8:53 jggppdyohpfohh.net udp
US 8.8.8.8:53 wqhbpuspfgiuqv.biz udp
US 8.8.8.8:53 guncsybxamdvsu.ru udp
US 8.8.8.8:53 tfonsquyxdgcsa.org udp
US 8.8.8.8:53 hvltgivmfbdmso.co.uk udp
US 8.8.8.8:53 ugmfgapndrgsck.info udp
US 8.8.8.8:53 qoqkajckdcelab.com udp
US 8.8.8.8:53 rkrjkbxqbiqaro.net udp
US 8.8.8.8:53 rpocnswyiqecsi.biz udp
US 8.8.8.8:53 slpbxksfgwqqtj.ru udp
US 8.8.8.8:53 oevoqoyibncjsb.org udp
US 8.8.8.8:53 pawnbguoytoxkv.co.uk udp
US 8.8.8.8:53 pftgextwgccasj.info udp
US 8.8.8.8:53 qbufoppdeiootr.com udp
US 8.8.8.8:53 oldmhfntufvfld.net udp
US 8.8.8.8:53 cvexhaxohbqtul.biz udp
US 8.8.8.8:53 qpbpxoiucnsanu.ru udp
US 8.8.8.8:53 eacbxjspojnonp.org udp
US 8.8.8.8:53 mbiqxkkrsqtdpg.co.uk udp
US 8.8.8.8:53 aljcxfumfmoryv.info udp
US 8.8.8.8:53 ofgtotfsayqxyf.com udp
US 8.8.8.8:53 cphfoopnmulmyh.net udp
US 8.8.8.8:53 wulyfulpvgmbtd.biz udp
US 8.8.8.8:53 xqmxppxsirhhub.ru udp
US 8.8.8.8:53 yyjcvegqdojvvj.org udp
US 8.8.8.8:53 aukbgystpaecnq.co.uk udp
US 8.8.8.8:53 ukqdvaintrkyma.info udp
US 8.8.8.8:53 vgrcguuqgdffnf.com udp
US 8.8.8.8:53 woogmjdobahtvn.net udp
US 8.8.8.8:53 xkpfweprnlcanc.biz udp
US 8.8.8.8:53 xxujkwhdwopxmi.ru udp
US 8.8.8.8:53 lkpywobefxjemn.org udp
US 8.8.8.8:53 yysbxmueiskwmv.co.uk udp
US 8.8.8.8:53 mlnqkeofqcedvr.info udp
US 8.8.8.8:53 thaplppbnvaemt.com udp
US 8.8.8.8:53 htufxhjcvftkmr.net udp
US 8.8.8.8:53 uixhyfdcyaudfa.biz udp
US 8.8.8.8:53 iuswlwwdhjojoo.ru udp
US 8.8.8.8:53 ctdrvmbpprlemc.org udp
US 8.8.8.8:53 drxmtewvxmooew.co.uk udp
US 8.8.8.8:53 dubjjcoqbvgdme.info udp
US 8.8.8.8:53 esvehtkwjqjnnm.com udp
US 8.8.8.8:53 xdixwfjngyvkxt.net udp
US 8.8.8.8:53 ybdsuwftotyuph.biz udp
US 8.8.8.8:53 yegpkuwordqjqo.ru udp
US 8.8.8.8:53 acbkimsuaxttrp.org udp
US 8.8.8.8:53 eepxpiqajnuryy.co.uk udp
US 8.8.8.8:53 rqkncdbusqscio.info udp
US 8.8.8.8:53 ginbgxehwhweil.com udp
US 8.8.8.8:53 tuiqssocgkuoin.net udp
US 8.8.8.8:53 anueqbyxaufxyh.biz udp
US 8.8.8.8:53 naptdvjsjxdiip.ru udp
US 8.8.8.8:53 crshhqmfnohkbs.org udp
US 8.8.8.8:53 penwtlwawrfubn.co.uk udp
US 8.8.8.8:53 iaxgbxkxcqucvf.info udp
US 8.8.8.8:53 jxsbyswblftiwk.com udp
US 8.8.8.8:53 kevjrnxfpkwofg.net udp
US 8.8.8.8:53 lcqepikiyyvuwu.biz udp

Files

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444