Malware Analysis Report

2025-01-06 09:16

Sample ID 240601-gbedysbf7x
Target fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466
SHA256 fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466

Threat Level: Known bad

The file fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:37

Reported

2024-06-01 05:40

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 2216 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2216 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2216 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2216 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2744 wrote to memory of 320 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 320 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 320 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 320 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 320 wrote to memory of 1556 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 1556 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 1556 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 320 wrote to memory of 1556 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2216 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2216 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2216 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2216 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 320 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2040 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 320 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe

"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:39 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:40 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:41 /f

Network

N/A

Files

memory/1632-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 a56470d0f1a0e8f0e0255281122c4d1a
SHA1 9bef35270ba4c1b50f11ed52a76341c0718c69ed
SHA256 5acceba11b105121b5415a8f69bf523f40f3be21ede92d2f72131547d047224d
SHA512 7f8bbf142a12f913ff02d2252fd4c598a5a50f3bf56f820c2247b32febd8d181dec36a4310cc9278e3d1dd53a26f493aa829f20365e155dd637b4018023a8023

memory/1632-10-0x0000000000290000-0x00000000002AF000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 366eb529390c9ab0b9a30a6dec9bf89a
SHA1 dd69f237c5b45fd1be90dfe9fc058e48cc638da1
SHA256 da7e0d810eb115efc5688a817e139b7d2f4467de27ec0530e8e8dff1515f9985
SHA512 307b2902fd0dc507500b04ecf1f5c1bc0723eeedcd805d46a0960b0f9114f1a8819d9e09b96cf56e832889604e2ea6fc5da636c554489ae4f947333f08203f01

memory/2216-21-0x0000000001BC0000-0x0000000001BDF000-memory.dmp

\Windows\Resources\svchost.exe

MD5 fb9529b2c4a8e49e31d33f76c5129a06
SHA1 8c00e0d7f2ed1e24dcf2adcdcfe2646452fc3a5f
SHA256 57b6bd55cd4444eb5c41e92d41901b8b5c472c7988aca13af8c75cb5f7cfc7d1
SHA512 2b5070ca21c4a1d4fbe7843fecb233991fc217c6d238fda624ffd6bcb4c39c9e327eb2a9306eb62e5347cc7b2a0a2cabd41906f75fb903073a9df390e4e85668

memory/320-38-0x00000000003D0000-0x00000000003EF000-memory.dmp

memory/1556-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1632-43-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:37

Reported

2024-06-01 05:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 2564 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 2564 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe \??\c:\windows\resources\themes\explorer.exe
PID 4352 wrote to memory of 704 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4352 wrote to memory of 704 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4352 wrote to memory of 704 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 704 wrote to memory of 1056 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 704 wrote to memory of 1056 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 704 wrote to memory of 1056 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1056 wrote to memory of 1828 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1056 wrote to memory of 1828 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1056 wrote to memory of 1828 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe

"C:\Users\Admin\AppData\Local\Temp\fd746469374df18f812e7cbf803cd3a626f19c4602ff5b9b4991c686fd4c8466.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/2564-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 aa450174d15d16f084c41dfe59ea7b76
SHA1 472fb1a3b6e2f908e8381c3495d3e8a7d34e7fdb
SHA256 0ced3150fb1d9f9016b4c1c418553c3593bcbb4a7aa254e66b371ee0c241dfbf
SHA512 a690210c64c58c36de0b0846129a2c5adebdedce561dff068514bdc68f4a25946730e658edf3c95a669259643b84bb5db8bf5355b1b0b02e1d4e219c7b19cfdf

memory/4352-8-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 46bf70a8cca0bf61dfdb9563efa2c9bf
SHA1 55ac6716ec7ebe440aef4e315d5df766260d2e92
SHA256 0e242ff479876d83b6fde31f9419a2b9de72a19b949f73cf18fad55cfcb131ff
SHA512 99ec9e1cfd410a26ce4a056f7427a4b6680c88b6fdebcaf4794ae51cbaae5e126491846ddbb4e517ad307ef0e1b1ed881056b2662a5308269692e5223bef81aa

C:\Windows\Resources\svchost.exe

MD5 5a98aa8e38cb61d9eed7767accf58229
SHA1 35f85ca01882c7ab8f62032226ba1dbe46be3f5f
SHA256 b220400d30047511871f7f6c08574040fa5a4bdc1f7d318cba7017f7d0c18982
SHA512 dea7c2cf0555442cfb60497edbd35c1f5449e7b0373bc822e3ab02f4226abb3b4c27bfdc027a687c9daeada8fd108285238a58ab05ff8a47ab285a5ffdb61ef6

memory/1828-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/704-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2564-35-0x0000000000400000-0x000000000041F000-memory.dmp