Malware Analysis Report

2024-10-16 02:39

Sample ID 240517-29mhfagd43
Target 5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.bin
SHA256 14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8
Tags
gozi 700 banker isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8

Threat Level: Known bad

The file 5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.bin was found to be: Known bad.

Malicious Activity Summary

gozi 700 banker isfb persistence trojan

Gozi

Unexpected DNS network traffic destination

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 23:16

Reported

2024-05-17 23:19

Platform

win7-20240508-en

Max time kernel

121s

Max time network

128s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\comr8030 = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Connssec\\clbcenum.dll\",DllRegisterServer" C:\Windows\Explorer.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2288 set thread context of 1208 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 2288 set thread context of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 1208 set thread context of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\control.exe N/A
N/A N/A C:\Windows\system32\control.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3016 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2192 wrote to memory of 2288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 2288 wrote to memory of 1208 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 2288 wrote to memory of 1208 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 2288 wrote to memory of 1208 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 1208 wrote to memory of 1604 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 1604 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 1604 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1604 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1604 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 1208 wrote to memory of 776 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 776 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 776 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 1208 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1

C:\Windows\system32\control.exe

C:\Windows\system32\control.exe /?

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\18A4.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\18A4.bi1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 8.8.8.8:53 intraders-support.at udp

Files

memory/2192-0-0x0000000073020000-0x00000000739ED000-memory.dmp

memory/2192-3-0x0000000073020000-0x00000000739ED000-memory.dmp

memory/2192-1-0x0000000073020000-0x00000000739ED000-memory.dmp

memory/2192-2-0x00000000730DB000-0x00000000730E0000-memory.dmp

memory/2192-12-0x00000000001E0000-0x000000000022A000-memory.dmp

memory/2192-5-0x00000000001E0000-0x000000000022A000-memory.dmp

memory/2288-14-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

memory/2288-15-0x0000000001BA0000-0x0000000001C53000-memory.dmp

memory/2288-22-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2288-23-0x0000000001BA0000-0x0000000001C53000-memory.dmp

memory/2192-21-0x0000000073020000-0x00000000739ED000-memory.dmp

memory/1208-24-0x00000000045E0000-0x0000000004693000-memory.dmp

memory/1208-29-0x00000000045E0000-0x0000000004693000-memory.dmp

memory/1208-28-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/2532-31-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/2532-32-0x0000000000270000-0x0000000000323000-memory.dmp

memory/2288-36-0x0000000001BA0000-0x0000000001C53000-memory.dmp

memory/1208-37-0x00000000045E0000-0x0000000004693000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\18A4.bi1

MD5 86ae6b510c19228190f4b797503ce192
SHA1 0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1
SHA256 be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a
SHA512 bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5

memory/1976-42-0x0000000000450000-0x00000000004F5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 23:16

Reported

2024-05-17 23:19

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Gozi

banker trojan gozi

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coreORes = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cryppast\\dpnaslad.dll\",DllRegisterServer" C:\Windows\Explorer.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4048 set thread context of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 5008 set thread context of 3532 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 3532 set thread context of 4012 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 set thread context of 4232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 5008 set thread context of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 3532 set thread context of 4780 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 set thread context of 2576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 set thread context of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 set thread context of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = fba4178fb0a8da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "0" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = f4d10a8fb0a8da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006356b28eb0a8da01518eeb8eb0a8da01518eeb8eb0a8da01619206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbeb15855bab15855ba2e0000000000000000000000000000000000000000000000000046930c00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59ec1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59ec1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e C:\Windows\System32\RuntimeBroker.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = 6d57818eb0a8da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bae17d8eb0a8da01bae17d8eb0a8da01bae17d8eb0a8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbeb15855bab15855ba2e0000000000000000000000000000000000000000000000000046930c00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59bc1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59bc1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000021439f8eb0a8da0174cbe68eb0a8da0174cbe68eb0a8da01e25606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeb15855bab15855ba2e00000000000000000000000000000000000000000000000000ce7e1800640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59dc1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59dc1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd" C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = 06697d8eb0a8da01 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000032f6718eb0a8da0132f6718eb0a8da0132f6718eb0a8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeb15855bab15855ba2e00000000000000000000000000000000000000000000000000ce7e1800640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59ac1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59ac1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\control.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\control.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 4048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 4048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 4048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4048 wrote to memory of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 4048 wrote to memory of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 4048 wrote to memory of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 4048 wrote to memory of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 4048 wrote to memory of 5008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\control.exe
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\control.exe C:\Windows\Explorer.EXE
PID 3532 wrote to memory of 4012 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 5008 wrote to memory of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 5008 wrote to memory of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 5008 wrote to memory of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 3532 wrote to memory of 4012 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4012 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4780 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 5008 wrote to memory of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 5008 wrote to memory of 3280 N/A C:\Windows\system32\control.exe C:\Windows\system32\rundll32.exe
PID 3532 wrote to memory of 4780 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 4780 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 2576 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 3532 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2624 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3532 wrote to memory of 392 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 392 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 3532 wrote to memory of 3240 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\control.exe

C:\Windows\system32\control.exe /?

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A188.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A188.bi1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 8.8.8.8:53 intraders-support.at udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4048-0-0x0000000074220000-0x0000000074BED000-memory.dmp

memory/4048-1-0x0000000074220000-0x0000000074BED000-memory.dmp

memory/4048-3-0x0000000074220000-0x0000000074BED000-memory.dmp

memory/4048-2-0x00000000742DB000-0x00000000742E0000-memory.dmp

memory/4048-4-0x0000000074220000-0x0000000074BED000-memory.dmp

memory/4048-7-0x0000000002390000-0x00000000023DA000-memory.dmp

memory/4048-14-0x0000000002390000-0x00000000023DA000-memory.dmp

memory/5008-17-0x0000000000870000-0x0000000000923000-memory.dmp

memory/4048-22-0x0000000074220000-0x0000000074BED000-memory.dmp

memory/5008-24-0x0000000000870000-0x0000000000923000-memory.dmp

memory/5008-23-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3532-25-0x00000000028A0000-0x0000000002953000-memory.dmp

memory/3532-31-0x0000000000830000-0x0000000000831000-memory.dmp

memory/3532-32-0x00000000028A0000-0x0000000002953000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Cryppast\dpnaslad.dll

MD5 5016784605ad3fd883fbdfdd5fbd469f
SHA1 30100663d3d88d7399948f7f92602efcb70b5a86
SHA256 14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8
SHA512 3f61dac201d25c5cb8932e9bed8b762c6897462edf912091e6921f2895645908b64c91a779f8db0cac76a0ddae19808d9ba6ce7fb27cd0a0153c5bf20d01f116

memory/4012-37-0x00000295373A0000-0x00000295373A1000-memory.dmp

memory/4012-38-0x0000029538BF0000-0x0000029538CA3000-memory.dmp

memory/4012-33-0x0000029538BF0000-0x0000029538CA3000-memory.dmp

memory/4232-39-0x00000235698D0000-0x0000023569983000-memory.dmp

memory/4232-44-0x00000235698D0000-0x0000023569983000-memory.dmp

memory/5008-50-0x0000000000870000-0x0000000000923000-memory.dmp

memory/3280-46-0x000002B10E4D0000-0x000002B10E583000-memory.dmp

memory/4232-43-0x0000023569890000-0x0000023569891000-memory.dmp

memory/4780-51-0x0000014A235D0000-0x0000014A23683000-memory.dmp

memory/2576-55-0x00000137AA0E0000-0x00000137AA193000-memory.dmp

memory/3708-59-0x0000028A6BD10000-0x0000028A6BDC3000-memory.dmp

memory/3532-63-0x00000000028A0000-0x0000000002953000-memory.dmp

memory/4012-64-0x0000029538BF0000-0x0000029538CA3000-memory.dmp

memory/4232-65-0x00000235698D0000-0x0000023569983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A188.bi1

MD5 86ae6b510c19228190f4b797503ce192
SHA1 0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1
SHA256 be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a
SHA512 bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5

memory/3240-72-0x0000000000B80000-0x0000000000C25000-memory.dmp