Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-n8q8cawnhs
Target 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
SHA256 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776
Tags
defense_evasion discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776

Threat Level: Known bad

The file 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence spyware stealer trojan upx

Modifies firewall policy service

Modifies security service

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

UAC bypass

Modifies visibility of file extensions in Explorer

Drops file in Drivers directory

Disables taskbar notifications via registry modification

Event Triggered Execution: Image File Execution Options Injection

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Adds Run key to start application

Indicator Removal: Clear Persistence

Checks whether UAC is enabled

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Control Panel

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:04

Reported

2025-01-19 12:06

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepsrv.sys.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe\Debugger = "\"C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
N/A N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\AC1E05A2F476A4B7\\8F1502.exe" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Sound C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://k3rpn6nsm7v08o4.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://91191v7i5nney3c.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://4gpc25t8i557w30.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://z08r490sa8b1pm7.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://316d36it7o97o1w.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://as532zl2oxlma0l.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://6209860r64907e0.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://5opbq517ww14301.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://199kqmqltvtzk21.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://8gsq0s81r700r48.directorio-w.com" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
N/A N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 2116 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 788 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 788 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 788 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 788 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 2352 wrote to memory of 1912 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe
PID 1912 wrote to memory of 1236 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1236 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1236 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Windows\Explorer.EXE
PID 1912 wrote to memory of 1236 N/A C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe

"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"

C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe

"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"

C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe

"C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe" 5A3FB291

C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe

"C:\Users\Admin\AC1E05A2F476A4B7\8F1502.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 8.8.8.8:53 whos.amung.us udp
US 104.22.74.171:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.74.171:80 widgets.amung.us tcp
US 8.8.8.8:53 www.buscaid.com udp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 www.buscaid.com tcp
US 45.79.19.196:80 tcp
US 45.79.19.196:80 tcp

Files

memory/788-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-11-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-10-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-8-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/788-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/788-4-0x0000000000400000-0x0000000000446000-memory.dmp

\Users\Admin\AC1E05A2F476A4B7\8F1502.exe

MD5 12fe11a1768d83798579faf59609bdd0
SHA1 e4f225c82d5ac1bf26a1092759326a3fc4155a59
SHA256 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776
SHA512 b0f88c5ba619e1f107e94ab1b900c5725a82fc53e08de97dcf989ce65a22ee6ff6d5b228b28d50d8c0fc605a5f465831d7f9129362b6894384cb50d95c36283b

memory/788-27-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-53-0x0000000003F00000-0x00000000049BA000-memory.dmp

memory/1912-1909-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1910-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1937-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1944-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1960-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1977-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-1990-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2026-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2030-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2046-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2068-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2094-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:04

Reported

2025-01-19 12:06

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\6831144AF18B6310\4B3A13.exe = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe\Debugger = "\"C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\6831144AF18B6310\\4B3A13.exe" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Sound C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://876dnbrf6kdfc41.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://5622z09ht5d89ma.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://e55vcj7gbx2398w.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://67f2w93kjnr82r1.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://1q7cvfj8p563jr2.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://70f2297i88jotlg.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://ff1nxj18685p4i5.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://p8hu1aeg579ef8o.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://3l552wg9789d7oh.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://0ti7s046stff0uz.directorio-w.com" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
N/A N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4048 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe
PID 4344 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 4344 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 4344 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe
PID 3684 wrote to memory of 4464 N/A C:\Users\Admin\6831144AF18B6310\4B3A13.exe C:\Users\Admin\6831144AF18B6310\4B3A13.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\6831144AF18B6310\4B3A13.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe

"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"

C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe

"C:\Users\Admin\AppData\Local\Temp\485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776N.exe"

C:\Users\Admin\6831144AF18B6310\4B3A13.exe

"C:\Users\Admin\6831144AF18B6310\4B3A13.exe" 78BC2B5D

C:\Users\Admin\6831144AF18B6310\4B3A13.exe

"C:\Users\Admin\6831144AF18B6310\4B3A13.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 8.8.8.8:53 whos.amung.us udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 172.67.8.141:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.74.171:80 widgets.amung.us tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.74.22.104.in-addr.arpa udp
US 8.8.8.8:53 141.8.67.172.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.buscaid.com udp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 8.8.8.8:53 134.194.255.173.in-addr.arpa udp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp

Files

memory/4344-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4344-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4344-6-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\6831144AF18B6310\4B3A13.exe

MD5 12fe11a1768d83798579faf59609bdd0
SHA1 e4f225c82d5ac1bf26a1092759326a3fc4155a59
SHA256 485bbe648fed9bf9f1f0d6bed9c89c4e36436a9f3f79aea5b784ed8bf8543776
SHA512 b0f88c5ba619e1f107e94ab1b900c5725a82fc53e08de97dcf989ce65a22ee6ff6d5b228b28d50d8c0fc605a5f465831d7f9129362b6894384cb50d95c36283b

memory/4344-18-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4464-1893-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4464-1895-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4464-1897-0x0000000000400000-0x0000000000446000-memory.dmp