Malware Analysis Report

2025-01-22 12:25

Sample ID 240516-b4r8maeh96
Target a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979
SHA256 a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979
Tags
aspackv2 bootkit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979

Threat Level: Likely malicious

The file a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 01:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 01:42

Reported

2024-05-16 01:44

Platform

win7-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\txfsq\\ztdrcwxs.trz\",SHA1" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ymkhc.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ymkhc.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ymkhc.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ymkhc.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ymkhc.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe

"C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ymkhc.exe "C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ymkhc.exe

C:\Users\Admin\AppData\Local\Temp\\ymkhc.exe "C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\txfsq\ztdrcwxs.trz",SHA1 C:\Users\Admin\AppData\Local\Temp\ymkhc.exe

Network

Country Destination Domain Proto
US 107.163.241.193:16300 tcp
US 107.163.241.193:16300 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.194:6520 tcp

Files

C:\Users\Admin\AppData\Local\Temp\ymkhc.exe

MD5 5e0dec23ae6bfcfe5c2527bc5be00ec1
SHA1 61dc8f71019d941bf1ba015128c1d361d43609c9
SHA256 191457169461c871319ed2f012e64fd35c96b2b56c6b563e09f1eaf7fab92818
SHA512 2cc922c896eb9b8a08d9871223a1798021afaa27b43d00f7d563157862bd8c070bcde44872a82a88434c9aff579aae697d40dd9cbc16941c16eaf1b86f5b8d21

\??\c:\txfsq\ztdrcwxs.trz

MD5 4993bd7ca91574843d5a608c532151a4
SHA1 72ff0d8e4ccee88738b3ab8bdb52b9474e0ef55e
SHA256 489855558b5a997477f7c95a05e7adcbf6001e06bd80e29b01fdabdb006cdbbb
SHA512 13418193723dace324d5b91a8162a09521640bc6e401c841bb0644de8ec9a762912f2afd588be8845a30b2f59ac10ab2eaa0b356068d1503792a30a826ed075c

memory/2240-8-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-9-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-11-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-12-0x0000000010024000-0x0000000010025000-memory.dmp

memory/2240-10-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-13-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-17-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-18-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2240-19-0x0000000010000000-0x0000000010027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 01:42

Reported

2024-05-16 01:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpfpb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jpfpb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\wvbph\\okemk.kmo\",SHA1" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 3764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jpfpb.exe
PID 2228 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jpfpb.exe
PID 2228 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jpfpb.exe
PID 2300 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\jpfpb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\jpfpb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\jpfpb.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe

"C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jpfpb.exe "C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\jpfpb.exe

C:\Users\Admin\AppData\Local\Temp\\jpfpb.exe "C:\Users\Admin\AppData\Local\Temp\a4b5ffd094143464cf7ba4df59bc6e60e09b03450d22cbdf1d3cb29dcf929979.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\wvbph\okemk.kmo",SHA1 C:\Users\Admin\AppData\Local\Temp\jpfpb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 107.163.241.193:16300 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 107.163.241.195:12354 tcp
US 107.163.241.194:6520 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 107.163.241.194:6520 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 107.163.241.194:6520 tcp

Files

C:\Users\Admin\AppData\Local\Temp\jpfpb.exe

MD5 1661a6ae30c086e5ac595403004ec93e
SHA1 f206c4054940f0e61b91543f100298a046c404a1
SHA256 bee963fe577135a2ce91d09638953fb6989966373d85823bf5d2fb0294b04193
SHA512 4e42d639aee2dd8af886c0f7b1e0ee07573d5b36186d7646af31dc51861c6cfc1dbf8270f2647c35f619753f0f4e2f69b5c995c531d2c46388fd6459634d00a2

\??\c:\wvbph\okemk.kmo

MD5 4993bd7ca91574843d5a608c532151a4
SHA1 72ff0d8e4ccee88738b3ab8bdb52b9474e0ef55e
SHA256 489855558b5a997477f7c95a05e7adcbf6001e06bd80e29b01fdabdb006cdbbb
SHA512 13418193723dace324d5b91a8162a09521640bc6e401c841bb0644de8ec9a762912f2afd588be8845a30b2f59ac10ab2eaa0b356068d1503792a30a826ed075c

memory/1172-7-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-9-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-10-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-8-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-11-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-13-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1172-15-0x0000000010000000-0x0000000010027000-memory.dmp