Malware Analysis Report

2025-01-02 14:25

Sample ID 241126-bls27swmhw
Target 99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
SHA256 99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db
Tags
discovery andromeda backdoor botnet persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db

Threat Level: Known bad

The file 99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe was found to be: Known bad.

Malicious Activity Summary

discovery andromeda backdoor botnet persistence upx

Andromeda family

Detects Andromeda payload.

Andromeda, Gamarue

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Maps connected drives based on registry

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 01:14

Reported

2024-11-26 01:16

Platform

win7-20240903-en

Max time kernel

100s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 864 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe

"C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe"

Network

N/A

Files

memory/864-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/864-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/864-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/864-58-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/864-26-0x0000000000340000-0x0000000000341000-memory.dmp

memory/864-76-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/864-38-0x0000000000360000-0x0000000000361000-memory.dmp

memory/864-68-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/864-358-0x0000000000420000-0x0000000000422000-memory.dmp

memory/864-356-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/864-487244-0x0000000000520000-0x0000000000620000-memory.dmp

memory/864-473586-0x0000000000520000-0x0000000000620000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 01:14

Reported

2024-11-26 01:16

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe"

Signatures

Andromeda family

andromeda

Andromeda, Gamarue

botnet backdoor andromeda

Detects Andromeda payload.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\289 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msxrrmg.bat" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" C:\Windows\SysWOW64\reg.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\LOCALS~1\Temp\msxrrmg.bat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 4724 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe
PID 2740 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 2740 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 2740 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 4640 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
PID 1204 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe

"C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe"

C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe

"C:\Users\Admin\AppData\Local\Temp\99ae9cc4150756bbfb18f34381118146cc851f3707d03ba79cf6639d7d8f02db.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFKYH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f

C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"

C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"

C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\syswow64\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 8.8.4.4:53 skyband.in udp
US 8.8.8.8:53 skyband.in udp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.4.4:53 skyband.in udp
US 8.8.8.8:53 skyband.in udp

Files

memory/4724-2-0x0000000002B20000-0x0000000002B22000-memory.dmp

memory/4724-3-0x0000000002B30000-0x0000000002B32000-memory.dmp

memory/4724-5-0x0000000002B60000-0x0000000002B62000-memory.dmp

memory/4724-6-0x0000000002B70000-0x0000000002B72000-memory.dmp

memory/4724-4-0x0000000002B50000-0x0000000002B52000-memory.dmp

memory/4724-7-0x0000000002B90000-0x0000000002B92000-memory.dmp

memory/2740-8-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2740-10-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2740-12-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LFKYH.txt

MD5 6831b89d0b8dc3e07588d733e75c122b
SHA1 8c70088c3224bbaf535ed19ec0f6bd5231c543be
SHA256 9fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2
SHA512 699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da

C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

MD5 92bdb37b53f2fd12914efdae18bf2289
SHA1 d6588e94a5ce84d6e8408d6d98d71f712c9a2740
SHA256 b134c6390ff9fd5b7a6d8351b25747c04fcaaad3bde402a2cbeb8b3e7e514547
SHA512 eaf6006d8cf1d03280b1d31799b7ac86154302f0b303e06922f2f8b9dc709666afae249fec437cbb56568028d672ec490b883ecb6c300b480e5a1dbd1b5f04f0

memory/2740-38-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4640-40-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4640-41-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4640-42-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1204-45-0x0000000000400000-0x0000000000405000-memory.dmp

memory/4640-50-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1204-51-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2740-54-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4528-58-0x00000000004D0000-0x00000000004DE000-memory.dmp

memory/4528-60-0x00000000004D0000-0x00000000004DE000-memory.dmp

memory/2576-61-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4528-63-0x00000000009F0000-0x00000000009F5000-memory.dmp

memory/4528-67-0x00000000009F0000-0x00000000009F5000-memory.dmp