Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-dvqdsaag58
Target d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13
SHA256 d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13

Threat Level: Likely malicious

The file d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 03:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 03:20

Reported

2024-05-07 03:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ftnjx\\rjgypyuwv.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\ftnjx C:\Users\Admin\AppData\Local\Temp\zfmjf.exe N/A
File created \??\c:\Program Files\ftnjx\rjgypyuwv.dll C:\Users\Admin\AppData\Local\Temp\zfmjf.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2240 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zfmjf.exe
PID 2240 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zfmjf.exe
PID 2240 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zfmjf.exe
PID 2240 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zfmjf.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\zfmjf.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe

"C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zfmjf.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\zfmjf.exe

C:\Users\Admin\AppData\Local\Temp\\zfmjf.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\ftnjx\rjgypyuwv.dll",Verify C:\Users\Admin\AppData\Local\Temp\zfmjf.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/2216-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2216-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\zfmjf.exe

MD5 248d79d5a8a5e14162f0c234a6ee9052
SHA1 0a21c45323857d302b7ccf541a863bed39b0cb11
SHA256 58d1c79443158ce45569f9a8ed8b1af19d5c6350b637a68f56d677e60f997ec1
SHA512 df88cb3dc501aca1743cfe054a478984a251ae8c3af6d8ed328b509e63588c8044098e305b88c86fc2b552e550908a9d1a9902d5b09fca3f8af448265e819349

memory/2240-5-0x0000000000120000-0x0000000000184000-memory.dmp

memory/2584-9-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\ftnjx\rjgypyuwv.dll

MD5 3abf7dc8833cf450001398020923717b
SHA1 8a553cbcb78d865e590a789ae0ed30faf497c1b4
SHA256 e1ae34a408922f64621c689f825804c11469f0c9095fe28ddcba761f46f69657
SHA512 3141ecb01cc45cf133e72dff742faad47b384d24c8d5ca73ca3dadeb775bf3ac32aa7f76b6b2bba3a3684684874436e2cf9f94a8b0c05fb13a75e8fcd5dd9426

memory/2620-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2620-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2620-14-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2620-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2620-20-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 03:20

Reported

2024-05-07 03:22

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\xxckkkzsv\\ucrkwkp.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\xxckkkzsv C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe N/A
File created \??\c:\Program Files\xxckkkzsv\ucrkwkp.dll C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4532 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4532 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4532 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe
PID 4532 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe
PID 4532 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe
PID 3100 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe

"C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ujbdqcpe.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe

C:\Users\Admin\AppData\Local\Temp\\ujbdqcpe.exe "C:\Users\Admin\AppData\Local\Temp\d155797e28881183eb868a20d162250f14567ca18e6cad0ad1be82c899692d13.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\xxckkkzsv\ucrkwkp.dll",Verify C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 110.34.196.36:803 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 110.34.196.34:3204 tcp

Files

memory/864-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/864-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ujbdqcpe.exe

MD5 37b64b76581dfa211cf4d297b7ad3a82
SHA1 b73a775455d8c0458e6d5ad95e0946a48258b10a
SHA256 be238e10cacb029604ee5f99353bb9c5055e536f34212059cf849ada99089eb4
SHA512 6520722f6ebe277f2abb6bc4613f8aa2a84fed5848ee4a5b05ff275ecc0a371dcf19d70516a4410cfc0ca8b2ba1c77e94a05974809782ff4adc0491f70296f10

memory/3100-7-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\xxckkkzsv\ucrkwkp.dll

MD5 7b2d95b3f8172cd89322ac790aa99a5a
SHA1 bdf3d03fca3ec32143ea60f95750f9cae6fd0098
SHA256 c4e02be238ece1de16b89f3eeb862d8f9cc29a237bd7443c43397ea63bf42286
SHA512 4b5976998232efb5d95de6f6b1abaaca8e6f4c67c3b4297e4f167b9e8c0eba2c5ed98b1496fe3fb7ea59ab22e3c8eb4d20daba3dc0e8559a7c021b98de2ff864

memory/1508-10-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1508-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1508-13-0x0000000010000000-0x0000000010080000-memory.dmp