Malware Analysis Report

2025-06-15 21:58

Sample ID 221116-wr35kscc65
Target cd48383befb4dce49fb855d64f500ca1.exe
SHA256 040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e

Threat Level: Known bad

The file cd48383befb4dce49fb855d64f500ca1.exe was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Downloads MZ/PE file

Deletes itself

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 18:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 18:10

Reported

2022-11-16 18:12

Platform

win7-20220812-en

Max time kernel

140s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1660 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1660 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1660 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 1660 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 364 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 364 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 364 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 364 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 364 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 364 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 364 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe

"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 w8khzw03nc.xzxueyg2t udp

Files

memory/1660-54-0x0000000002010000-0x00000000024F7000-memory.dmp

memory/1660-55-0x0000000002010000-0x00000000024F7000-memory.dmp

memory/1660-56-0x00000000003E0000-0x00000000004D6000-memory.dmp

memory/1660-57-0x00000000003E0000-0x00000000004D6000-memory.dmp

memory/1660-58-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

memory/1660-59-0x0000000002010000-0x00000000024F7000-memory.dmp

memory/1660-60-0x00000000003E0000-0x00000000004D6000-memory.dmp

memory/536-61-0x0000000000000000-mapping.dmp

\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

MD5 881fe614a1d4306c82791cd4fda48a2d
SHA1 5e62e63710d38046d36ff3ae6b77f8f3ab8752fd
SHA256 271d164c315ef9ec879c1d2eee908ce4b2097c054f3833c1b9e9e28d9190c0ca
SHA512 bf56eefe837b7494705542b08c46dc4e3c752fac68684a00976d096f0d8edbdb87147bfd81e9a94fa0644a041c35a31b02cbc465aba454c79c866e4cd6e6e239

memory/1524-64-0x0000000000000000-mapping.dmp

\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

MD5 eee17aab91c14e549cb82ef52cd7526d
SHA1 c6680ca62a5c1c9661703513f0eceed6f9af0be5
SHA256 23929e82afa41d2827a3a26f43dc9c2d28fb3b1d2531423a3e737ac511990af6
SHA512 cf13bf0eb85ba0eb7564fb5d898c092f05ddc7780ea6f4af532fa3ebdd97afc8938a3fe48b57f5030ad5c796de24b8fdda333ff361ab6748fb4e1e811d7f54ae

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

MD5 00d4784a97e31747292709dbacbbc45f
SHA1 451cfa56a5fc08617a5605cc2d42fdea3af190f1
SHA256 b5d29edcf7198ad654e07e426a050afa8ae0b1b09b7fc2cf1a18535ac1696afa
SHA512 76c21f729c0e0c407f8231e9d0a4e57acfd63dc70c573f4c8d4b3cd97340a7589fae2b30bae3f4156db93f004ff81eb3ce0720000d168e70ca4abc4b03668c54

memory/364-66-0x0000000000000000-mapping.dmp

memory/1524-67-0x00000000024E0000-0x00000000029C7000-memory.dmp

memory/1660-68-0x00000000003E0000-0x00000000004D6000-memory.dmp

memory/332-69-0x0000000000000000-mapping.dmp

memory/548-70-0x0000000000000000-mapping.dmp

memory/1524-71-0x00000000024E0000-0x00000000029C7000-memory.dmp

memory/1524-72-0x0000000000500000-0x00000000005F6000-memory.dmp

memory/1524-74-0x0000000000500000-0x00000000005F6000-memory.dmp

memory/1524-75-0x00000000024E0000-0x00000000029C7000-memory.dmp

memory/1524-76-0x0000000000500000-0x00000000005F6000-memory.dmp

memory/1524-77-0x0000000000F00000-0x0000000000F4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 18:10

Reported

2022-11-16 18:12

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

152s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4236 created 2548 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\system32\taskhostw.exe

SystemBC

trojan systembc

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4236 set thread context of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c0000000100000004000000001000000b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9 C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A
N/A N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 4900 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 4900 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
PID 4900 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4208 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4208 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4236 wrote to memory of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4236 wrote to memory of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4236 wrote to memory of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4236 wrote to memory of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4236 wrote to memory of 4660 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4236 wrote to memory of 2156 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4236 wrote to memory of 2156 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4236 wrote to memory of 2156 N/A C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe

"C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

"C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 w8khzw03nc.xzxueyg2t udp
N/A 52.168.117.169:443 tcp
N/A 104.80.225.205:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 13.107.4.50:80 tcp
N/A 8.8.8.8:53 w8khzw03nc.xzxueyg2t udp
N/A 8.8.8.8:53 www.imarket-eg.com udp
N/A 160.153.50.70:443 www.imarket-eg.com tcp

Files

memory/4900-132-0x00000000031EB000-0x00000000036D2000-memory.dmp

memory/4900-133-0x0000000003093000-0x0000000003189000-memory.dmp

memory/4900-134-0x00000000031EB000-0x00000000036D2000-memory.dmp

memory/4900-135-0x0000000003093000-0x0000000003189000-memory.dmp

memory/1168-136-0x0000000000000000-mapping.dmp

memory/4236-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

MD5 87f8d18b597845376f06754a6cebf08b
SHA1 2585ce8d6f20de0da137f8cb87c47a547f6de4f3
SHA256 7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f
SHA512 4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292

C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

MD5 87f8d18b597845376f06754a6cebf08b
SHA1 2585ce8d6f20de0da137f8cb87c47a547f6de4f3
SHA256 7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f
SHA512 4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292

memory/4208-140-0x0000000000000000-mapping.dmp

memory/4900-141-0x0000000003093000-0x0000000003189000-memory.dmp

memory/5048-142-0x0000000000000000-mapping.dmp

memory/2636-143-0x0000000000000000-mapping.dmp

memory/4236-144-0x0000000002B3B000-0x0000000003022000-memory.dmp

memory/4236-145-0x0000000002B3B000-0x0000000003022000-memory.dmp

memory/4236-146-0x000000000303A000-0x0000000003130000-memory.dmp

memory/4236-147-0x000000000303A000-0x0000000003130000-memory.dmp

memory/4236-148-0x0000000001150000-0x000000000119B000-memory.dmp

memory/4236-149-0x0000000001150000-0x000000000119B000-memory.dmp

memory/4660-150-0x0000000000000000-mapping.dmp

memory/4660-151-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4660-153-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4660-155-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\advapi32.dll

MD5 4880886732471a6abbb919b2d9c94e03
SHA1 78d331eeff674b95bf5d9756a0da7c60b0dee7b4
SHA256 c1f5411008304f15bcc5fa281bd9ee8eae70948f2a58db190290adaf259dcee0
SHA512 b755b402d051d6ff777249ba5eb4754eeeb2a2c47baeb1d69dac3b7e67e88aa5ef83027a41fbfaf7e170cb2ec0f15065d8bb529f989fb15319d4c143b4900432

memory/2156-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 e716ffae131666d5e0e77e5d479b1e37
SHA1 42fea83d3a19beecb25d2c5bd46e547bb4a09319
SHA256 32684b073e05d41b49611a2d49f25d4d53ca8182d5de134bc7a4924158bc577b
SHA512 c559c52b40c5b593e0687d05c9ed54229b0eb62a517940caaecc6d09aa4d21bdc129552cfcd31509e4f5c35be069ee617457ce047460cc6a23270499ca14f75c

memory/2156-159-0x0000000002800000-0x0000000002DCB000-memory.dmp

memory/4236-160-0x000000000303A000-0x0000000003130000-memory.dmp