Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-cpf3gsgg83
Target fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24
SHA256 fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24

Threat Level: Likely malicious

The file fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 02:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 02:14

Reported

2024-05-07 02:17

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ioesf\\grurvepgw.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\ioesf C:\Users\Admin\AppData\Local\Temp\mwyewp.exe N/A
File created \??\c:\Program Files\ioesf\grurvepgw.dll C:\Users\Admin\AppData\Local\Temp\mwyewp.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2928 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2928 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2928 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2928 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
PID 2928 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
PID 2928 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
PID 2928 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mwyewp.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\mwyewp.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe

"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\mwyewp.exe

C:\Users\Admin\AppData\Local\Temp\\mwyewp.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\ioesf\grurvepgw.dll",Verify C:\Users\Admin\AppData\Local\Temp\mwyewp.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/1728-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\mwyewp.exe

MD5 d4dd1092940b2b02d484d955d03b558a
SHA1 00255d067f0178568c1a147d8a0826d284b89607
SHA256 31b3962c17d09cf0627dd7de8c5a74a74d89d2c71f1a27d3c0654adec2f2daf3
SHA512 8615221f6cce856d8e18f483409782fbd82355c76316d9b3c1fce9463d15b5a876bcc0de507ad863799b8feb8409ac372510518d14f4e300d138382d87d2953c

memory/2668-9-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2928-8-0x0000000002340000-0x00000000023A4000-memory.dmp

memory/2928-7-0x0000000002340000-0x00000000023A4000-memory.dmp

memory/2668-11-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\ioesf\grurvepgw.dll

MD5 9a9926c58e8ac749d5d903847f58c9ae
SHA1 d0b90a665a92307461002f2b4f5c5d380fd4454a
SHA256 07b72f445a782503f45e95371413fe5240d2eea408d855816d3373d36f331675
SHA512 2e59e19441b6fc33128bb9a3c1380f624553cb85fef33309b813b92732565036d1403a1ad641ce6d2ba112b1d25a5fd4ede7a7e176e36430390a91d58cde0d67

memory/2948-19-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2948-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2948-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2948-20-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2948-22-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 02:14

Reported

2024-05-07 02:17

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxmuw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sxmuw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\zcwjw\\veole.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\zcwjw\veole.dll C:\Users\Admin\AppData\Local\Temp\sxmuw.exe N/A
File opened for modification \??\c:\Program Files\zcwjw C:\Users\Admin\AppData\Local\Temp\sxmuw.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4300 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4300 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4300 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxmuw.exe
PID 4300 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxmuw.exe
PID 4300 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sxmuw.exe
PID 3816 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\sxmuw.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3816 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\sxmuw.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3816 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\sxmuw.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe

"C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\sxmuw.exe

C:\Users\Admin\AppData\Local\Temp\\sxmuw.exe "C:\Users\Admin\AppData\Local\Temp\fda315d4bd3990a2d8fcfe68025b0b4089a55528abc4ea981e3e351a1b5ada24.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\zcwjw\veole.dll",Verify C:\Users\Admin\AppData\Local\Temp\sxmuw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/4672-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4672-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sxmuw.exe

MD5 bff5eef69343949add9a0c7802f27072
SHA1 cc6fd10ae052f388537c4ed2c696548b2d225ea5
SHA256 eeb49de0f4c86236eba496384e4ec8d19576900caf7addc30a303c42a37eaa2f
SHA512 297d82105db53c5f8ca791baed21859883e13a0eae088dc2b42457d9da8b981d3daa3d6f9e33d0a84eeba7dc2e4274e7eb731b551ef0b96c9de1bc2df2ead146

memory/3816-7-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\zcwjw\veole.dll

MD5 19e8567637f5433c5cd3f8352af59106
SHA1 304228910b17a6116d47864b53c4fff0d1498a14
SHA256 48d8cb786f468839e17ae2d6e0ef6cfa0b338ed74c486b7b130c197d46c5add1
SHA512 9d351b84927accd4f7e65cf0705596059315498221d34d479b5e6e69d62663de275b0385f1bbe314c02c6e1f09a94bb55075dffeee547309bdc20b626b35c48c

memory/1072-10-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1072-12-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1072-13-0x0000000010000000-0x0000000010080000-memory.dmp