Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2e2c4sae38
Target 5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5
SHA256 5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5

Threat Level: Shows suspicious behavior

The file 5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:30

Reported

2024-06-02 22:33

Platform

win7-20240419-en

Max time kernel

149s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\5jl0\\BitLockerWizard.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\3087\wbengine.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\3087\wbengine.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\IKOyebX.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2812 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2812 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2812 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2560 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2560 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2560 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\System32\cmd.exe
PID 2608 wrote to memory of 3012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 3012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2608 wrote to memory of 3012 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1208 wrote to memory of 2580 N/A N/A C:\Windows\system32\logagent.exe
PID 1208 wrote to memory of 2580 N/A N/A C:\Windows\system32\logagent.exe
PID 1208 wrote to memory of 2580 N/A N/A C:\Windows\system32\logagent.exe
PID 1208 wrote to memory of 3008 N/A N/A C:\Windows\system32\wbengine.exe
PID 1208 wrote to memory of 3008 N/A N/A C:\Windows\system32\wbengine.exe
PID 1208 wrote to memory of 3008 N/A N/A C:\Windows\system32\wbengine.exe
PID 1208 wrote to memory of 2304 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2304 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2304 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1208 wrote to memory of 2808 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"

C:\Windows\system32\logagent.exe

C:\Windows\system32\logagent.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\3087\wbengine.exe" /RL highest

Network

N/A

Files

memory/1340-0-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1340-2-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1208-3-0x0000000077A86000-0x0000000077A87000-memory.dmp

memory/1208-4-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1340-6-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-8-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-32-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-31-0x0000000002530000-0x0000000002537000-memory.dmp

memory/1208-24-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-23-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-22-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-33-0x0000000077B91000-0x0000000077B92000-memory.dmp

memory/1208-42-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-48-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-47-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/1208-46-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd

MD5 6269cf9d55c096e2e43dd2737f00c11a
SHA1 468f035509796131bbd85dbc1e9ad77cdf40fbdd
SHA256 6c5069f8adb1b32eb63f9dedfd7a897fb366cf77cf0aa2b1c2cf78187e5179d9
SHA512 9ab4bcb40e4f86e83fdc3c0ea72df92357186c178fed204249810538e255cdf0c85405e53e5393696e806db14ea80e5c8b64255e8fd70787834e8a68c4d841e9

C:\Users\Admin\AppData\Local\Temp\V5u251D.tmp

MD5 e1fc2dda8901105681d7986f89043ecb
SHA1 0cfbf4dfea70189f1615eea1731dbfd094a37a7c
SHA256 f8b9b1060d0828e3f7fcec7db02beb0914f4004d4774e02bcc43c095b33f0276
SHA512 bf3eafabe67f1dc49fbbb9279752003711d2cff7c553dd123fcf53d3836781c8c8e31ee4a0db411cc8a1dffb4cbb12851f8733901aa76f354b35e1b1b24fa52b

C:\Users\Admin\AppData\Roaming\5jl0\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd

MD5 981f04ddae8a5ef54ef6f2d95cc27ed7
SHA1 b467e660582a5d2721318cfd10bc7d52c1ceced6
SHA256 8251ef9c6caea24388dcab8f32a418321fe262de2b93bce1dcafe872f8f7612c
SHA512 0494e7beeb34a5954fcbb41d0b91d291625ac612b06b17075959caa7590d455ca14e81c3ca70085ca878dcfd1d22716af0dfc4b8b7489c083b951e83d386fd36

C:\Users\Admin\AppData\Local\Temp\S2685.tmp

MD5 ef0bc0ee7e0b1759979add3129d2d453
SHA1 663a116b3c7f37ebddd63027dfe2ba10b22d213d
SHA256 f826fb05e0bcbaf1a1ca81f510ec885273f22ab1277350c5219f403aa8d0c68a
SHA512 79447400d9815b3b011af0af960c511eb8374336f6b339e3f0654b433ed04cdae5fa7b06220037c097a9f89a5ed782ebe79c98a9ca49878dc2fd35d651522d5a

C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd

MD5 4c7dcc4d5577f3701b50121677bf01e2
SHA1 47793f51cba26400b2be7c07a64d35ab9815b39a
SHA256 e8d319414dd9222e093a2c9dd74041e2a532a00f35dca609023a40916116f4b3
SHA512 f3ac672d475e5dba3c3441428a465aee7f2fc31616e6015cfd78f35a4f02b1c3a15cad0f266d24a03105f0e5acfad2b1bc2abd2459f1b17fe963eeaed5901ca0

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk

MD5 ddaeb0c2277f6ec03db48d039e77f75a
SHA1 d65fa0fa748cccd5ee5d4af9666446864980a5c3
SHA256 4772c4f086da5c54b07bf01746504bf2686accec479391b91c048dce09551093
SHA512 8a7be64080ad8051195a4df9b145cfa74ebd25762ba88943da71f71bffed53947c2a339e19e47b7490991f75230e3062165860b9001ab9d36506acc1c86102ca

memory/1208-96-0x0000000077A86000-0x0000000077A87000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:30

Reported

2024-06-02 22:33

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "\"C:\\Users\\Admin\\AppData\\Roaming\\OBVb3\\dpapimig.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\6000\cmstp.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\6000\cmstp.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\59KmpNH.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 4832 N/A N/A C:\Windows\system32\provtool.exe
PID 3388 wrote to memory of 4832 N/A N/A C:\Windows\system32\provtool.exe
PID 3388 wrote to memory of 5064 N/A N/A C:\Windows\system32\notepad.exe
PID 3388 wrote to memory of 5064 N/A N/A C:\Windows\system32\notepad.exe
PID 3388 wrote to memory of 5056 N/A N/A C:\Windows\system32\svchost.exe
PID 3388 wrote to memory of 5056 N/A N/A C:\Windows\system32\svchost.exe
PID 3388 wrote to memory of 876 N/A N/A C:\Windows\system32\wsmprovhost.exe
PID 3388 wrote to memory of 876 N/A N/A C:\Windows\system32\wsmprovhost.exe
PID 3388 wrote to memory of 3004 N/A N/A C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
PID 3388 wrote to memory of 3004 N/A N/A C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
PID 3388 wrote to memory of 2640 N/A N/A C:\Windows\system32\dllhost.exe
PID 3388 wrote to memory of 2640 N/A N/A C:\Windows\system32\dllhost.exe
PID 3388 wrote to memory of 4608 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3388 wrote to memory of 4608 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3388 wrote to memory of 4084 N/A N/A C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 4084 N/A N/A C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 4684 N/A N/A C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 4684 N/A N/A C:\Windows\System32\cmd.exe
PID 4684 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4684 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3388 wrote to memory of 2892 N/A N/A C:\Windows\system32\cmstp.exe
PID 3388 wrote to memory of 2892 N/A N/A C:\Windows\system32\cmstp.exe
PID 3388 wrote to memory of 3844 N/A N/A C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 3844 N/A N/A C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 4164 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3388 wrote to memory of 4164 N/A N/A C:\Windows\System32\fodhelper.exe
PID 4164 wrote to memory of 2868 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 2868 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2868 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1

C:\Windows\system32\provtool.exe

C:\Windows\system32\provtool.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wsmprovhost.exe

C:\Windows\system32\wsmprovhost.exe

C:\Windows\system32\LanguageComponentsInstallerComHandler.exe

C:\Windows\system32\LanguageComponentsInstallerComHandler.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Nj38.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Fzlrtmppumx" /SC minute /MO 60 /TR "C:\Windows\system32\6000\cmstp.exe" /RL highest

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/4688-0-0x000001CE11660000-0x000001CE11667000-memory.dmp

memory/4688-1-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4688-5-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-6-0x00007FFA14D2A000-0x00007FFA14D2B000-memory.dmp

memory/3388-18-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-19-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-43-0x00007FFA16BC0000-0x00007FFA16BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1q26EF7.tmp

MD5 17f26fe1d14c890a18ca6733264de27a
SHA1 b5e193999c6592b043e203cb65934ac8844edc1b
SHA256 f9688590bdab82d6cd36a3150b63ef267687291392e3a38c666334d2635c64d9
SHA512 353d2530e5ba49a64877c99d925adadab8327f1d6d6310d910fb8f36e793d2d2899dd037e8affdccc0c7dff6628138e1d40ca12034eac40958d520a96622fb42

C:\Users\Admin\AppData\Local\Temp\Nj38.cmd

MD5 cbf5f3d4e9db331746bc15643b92d8b3
SHA1 700670893ae5f5f4a8158576d0e74a52d2da52de
SHA256 133953265f7c12fdc9c3ab8b02505134e261de7f4add647afe3b59dc87473b34
SHA512 2539fe8d44d19002223619e6531170647534ce4d03f96562352d3f24cc79062a351a6847c8c7589efbc16d2c938ca7395937b3db71f2a5566b931eba55adc919

C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd

MD5 09ef23093bfde9c4626cdeb218aad241
SHA1 4fab0a228fa314a21df3891d22d7ba7d3556e71b
SHA256 cbd8d9b64f2ea208570b6405e5a24bf5bd28d5bb5ce5c92e9da559b39fcaac3f
SHA512 179a61c8a691ad4d05b2b50151b6dfe7b95e7f0f00dfe77af4f32bf71b91ed2b356f215bae2b57835fd2dd1cbd40726d3978ca59207e95b8833bfb0f0cb2bb8b

memory/3388-52-0x0000000140000000-0x00000001400BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\OBVb3\dpapimig.exe

MD5 b6d6477a0c90a81624c6a8548026b4d0
SHA1 e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256 a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA512 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

C:\Users\Admin\AppData\Local\Temp\Unv6E3B.tmp

MD5 897bf351a9881769449c28173edbae04
SHA1 3a37f016cd9be27ebc234654fcdbf49eb1785fb1
SHA256 5a14233ba3900089e955fb61989ce6fca75e1403f85b19ae6f746d762196c303
SHA512 0d04809c07bb575994b133aec9731a1508f45e622169a832c73ea7b537c75bb0e912a3054582a53bd68500137d5cd742a4423a6de3b1ffa35ff38c45e1d2aff9

C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd

MD5 5b262cd5693605c516f2ed6dfc40876e
SHA1 1caf283be70ab1956cc218a1880442962f07bb7e
SHA256 89fb6e49e57e6d44e56ca84ca2059059a995a1d36ffb3fa7f6ba6173cbfa9c4b
SHA512 2e898d1c856f737acaf4bb04ff3d7799cf748860780b15c63d36014314682a6f43dbab442bec24774c10df00fb7a5b1a3742c12f2c8393b86adc49b34035a39b

memory/3388-42-0x0000000000550000-0x0000000000557000-memory.dmp

memory/3388-40-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-31-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-24-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-23-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-22-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-21-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-20-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-17-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-16-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-15-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-14-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-13-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-12-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-11-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-10-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-9-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-8-0x0000000140000000-0x00000001400BE000-memory.dmp

memory/3388-7-0x0000000140000000-0x00000001400BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hkwligutpbxhkv.lnk

MD5 2ed8ba3b5e467ae8c479af62137a4555
SHA1 3c3ea8e2e1adde1e004e48294464304f62457edd
SHA256 5871a8c74805f005d66990075362e08bcaf2ec4a5b7c38106e898634df74074a
SHA512 257ae6ae0b722c88cfde4da001840c7e1c5e4561ad6852440bb0c23a9d057ada70ff43fd8a2ef41bb2c08ad8615fbe2929aa1b4f2f75f93ec262c65badaee4fd