Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-pjr9saxjfw
Target fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
SHA256 fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f
Tags
defense_evasion discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f

Threat Level: Known bad

The file fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence spyware stealer trojan upx

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Modifies firewall policy service

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies security service

Disables taskbar notifications via registry modification

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Drops startup file

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Indicator Removal: Clear Persistence

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Modifies Control Panel

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:21

Reported

2025-01-19 12:24

Platform

win7-20241010-en

Max time kernel

120s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\1009F805341EAB54\3302FF.exe = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdetect.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe\Debugger = "\"C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
N/A N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\1009F805341EAB54\\3302FF.exe" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://gp872g06umk985e.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://91tz151dq78sj3s.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://i6tsed474ky91r3.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://vo2pd44fq4942rj.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://3tv242g5562hd86.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://xm02k5751u44yva.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://l9t65d8697qqs44.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://psf582uor3khbn3.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://0j00p0ji8s1f754.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://t78gah5076mh08c.directorio-w.com" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
N/A N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 1740 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 2364 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2364 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2364 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2364 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2128 wrote to memory of 2932 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Users\Admin\1009F805341EAB54\3302FF.exe
PID 2932 wrote to memory of 1212 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Windows\Explorer.EXE
PID 2932 wrote to memory of 1212 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Windows\Explorer.EXE
PID 2932 wrote to memory of 1212 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Windows\Explorer.EXE
PID 2932 wrote to memory of 1212 N/A C:\Users\Admin\1009F805341EAB54\3302FF.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\1009F805341EAB54\3302FF.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe

"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"

C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe

"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"

C:\Users\Admin\1009F805341EAB54\3302FF.exe

"C:\Users\Admin\1009F805341EAB54\3302FF.exe" 47779ED3

C:\Users\Admin\1009F805341EAB54\3302FF.exe

"C:\Users\Admin\1009F805341EAB54\3302FF.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x5a4

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 8.8.8.8:53 whos.amung.us udp
US 104.22.75.171:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.75.171:80 widgets.amung.us tcp
US 8.8.8.8:53 www.buscaid.com udp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp
US 45.33.23.183:80 www.buscaid.com tcp

Files

memory/2364-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-10-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-6-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\1009F805341EAB54\3302FF.exe

MD5 a3ad2b121987342a92275b4ed4fccf10
SHA1 965219ef6bac815e09842f960aeb2650dbe3e201
SHA256 fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f
SHA512 2ebf1f1840d92860e97332309c4c14ec1bed97e67c0a8671aecf85fe9f818d23bb7070a9d79a0497b8f6e4e5c3eba9e8142c639c354480e7859e6b072928beb3

memory/2364-29-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-53-0x0000000003DE0000-0x0000000004E42000-memory.dmp

memory/2932-659-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-1913-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-1935-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-1940-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-1961-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-1989-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-2017-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-2031-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-2065-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2932-2084-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 12:21

Reported

2025-01-19 12:24

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\C49207AD5A23EC96\E79900.exe = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254003743208BA6735D23877EED = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\C49207AD5A23EC96\\E79900.exe" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Sound C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://j2u62y9ze54xp71.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://z1ze3hry4wojqc9.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://s4dm8zrx034277h.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://x2fl1di5z4ajzy3.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://ns65ov7a287547j.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://347dlydy96i281r.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://0w6w120508y6cq7.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://lj65183ctm0xxyh.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://10a9ou2617g1lwk.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://wk8190lk1s52scc.directorio-w.com" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
N/A N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 804 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe
PID 3512 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 3512 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 3512 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe
PID 4848 wrote to memory of 5008 N/A C:\Users\Admin\C49207AD5A23EC96\E79900.exe C:\Users\Admin\C49207AD5A23EC96\E79900.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\C49207AD5A23EC96\E79900.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe

"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"

C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe

"C:\Users\Admin\AppData\Local\Temp\fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01fN.exe"

C:\Users\Admin\C49207AD5A23EC96\E79900.exe

"C:\Users\Admin\C49207AD5A23EC96\E79900.exe" 71E6EEDD

C:\Users\Admin\C49207AD5A23EC96\E79900.exe

"C:\Users\Admin\C49207AD5A23EC96\E79900.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 cloud.ns1.dnsdynnet.com udp
US 8.8.8.8:53 whos.amung.us udp
US 104.22.75.171:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 172.67.8.141:80 widgets.amung.us tcp
US 8.8.8.8:53 171.75.22.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 141.8.67.172.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.buscaid.com udp
US 72.14.185.43:80 www.buscaid.com tcp
US 72.14.185.43:80 www.buscaid.com tcp
US 72.14.185.43:80 www.buscaid.com tcp
US 72.14.185.43:80 www.buscaid.com tcp
US 72.14.185.43:80 www.buscaid.com tcp
US 72.14.185.43:80 www.buscaid.com tcp
US 8.8.8.8:53 43.185.14.72.in-addr.arpa udp
US 72.14.185.43:80 www.buscaid.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3512-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3512-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3512-6-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\C49207AD5A23EC96\E79900.exe

MD5 a3ad2b121987342a92275b4ed4fccf10
SHA1 965219ef6bac815e09842f960aeb2650dbe3e201
SHA256 fa3508747cd2489a40efa27485f1e85d728c8d01e8d2e3349e325adb1cefa01f
SHA512 2ebf1f1840d92860e97332309c4c14ec1bed97e67c0a8671aecf85fe9f818d23bb7070a9d79a0497b8f6e4e5c3eba9e8142c639c354480e7859e6b072928beb3

memory/3512-19-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5008-1891-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5008-1893-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5008-1894-0x0000000000400000-0x0000000000446000-memory.dmp