Malware Analysis Report

2025-03-15 00:32

Sample ID 240603-2b3f1acb45
Target 65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1
SHA256 65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1

Threat Level: Shows suspicious behavior

The file 65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:25

Reported

2024-06-03 22:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "\"C:\\Users\\Admin\\AppData\\Roaming\\u6mF4h\\dwm.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\6834\wscript.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\6834\wscript.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\CAkcF.cmd" N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2520 N/A N/A C:\Windows\system32\BdeUnlockWizard.exe
PID 1176 wrote to memory of 2520 N/A N/A C:\Windows\system32\BdeUnlockWizard.exe
PID 1176 wrote to memory of 2520 N/A N/A C:\Windows\system32\BdeUnlockWizard.exe
PID 1176 wrote to memory of 2412 N/A N/A C:\Windows\system32\dwm.exe
PID 1176 wrote to memory of 2412 N/A N/A C:\Windows\system32\dwm.exe
PID 1176 wrote to memory of 2412 N/A N/A C:\Windows\system32\dwm.exe
PID 1176 wrote to memory of 2440 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 2440 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 2440 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 1516 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 1516 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 1516 N/A N/A C:\Windows\System32\cmd.exe
PID 1516 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1516 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1516 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1176 wrote to memory of 2708 N/A N/A C:\Windows\system32\wscript.exe
PID 1176 wrote to memory of 2708 N/A N/A C:\Windows\system32\wscript.exe
PID 1176 wrote to memory of 2708 N/A N/A C:\Windows\system32\wscript.exe
PID 1176 wrote to memory of 2728 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 2728 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 2728 N/A N/A C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 2836 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1176 wrote to memory of 2836 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1176 wrote to memory of 2836 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2836 wrote to memory of 2296 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2296 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2296 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2296 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2296 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1

C:\Windows\system32\BdeUnlockWizard.exe

C:\Windows\system32\BdeUnlockWizard.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\x70FRY.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lndL.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CAkcF.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Lizdxxpaecrde" /SC minute /MO 60 /TR "C:\Windows\system32\6834\wscript.exe" /RL highest

Network

N/A

Files

memory/1920-0-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1920-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1176-3-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

memory/1176-4-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1920-6-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-9-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-7-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-8-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-12-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-13-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-16-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-35-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-28-0x0000000002E10000-0x0000000002E17000-memory.dmp

memory/1176-26-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-25-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-24-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-22-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-21-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-36-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

memory/1176-20-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-19-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-18-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-27-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-17-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-15-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-14-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-23-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-11-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-10-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-45-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-52-0x0000000140000000-0x0000000140112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lndL.cmd

MD5 5704a39aa7d3e1ee7811d866a93ded45
SHA1 af719e297a2e82c9711ec115ab53060d938e6baa
SHA256 8a1becfbab731a8ea7ebd903797dfd313316cd9abbfd447f204bb52c6d7be54f
SHA512 cee897a9a2e5ec2c7ad5e81cd69397010b4861ecfe87daaedfef48dca6c7dc32d23704e3056574394f839ab1735b9bec18f3f8ff060893468cfaeac50495e279

C:\Users\Admin\AppData\Local\Temp\CAkcF.cmd

MD5 c13e85d7b344eceb218f596bf58ec52e
SHA1 13570e0643abc4bd4e03389ea983d4ebe529edb9
SHA256 1565a8d7d94d5865a7d0766a5c921b353693b018eeda9bc91e4447ccf6fdc7d6
SHA512 fc023a3f266b7f349af4e734911a81f231743183dbc588034526d55bc39079a77a7e3e7cf3bcaf1a4ca7f65dc9eefa674f169a981fec6210d65f58b10e543f6b

C:\Users\Admin\AppData\Local\Temp\t2y32A5.tmp

MD5 a973fff335939f75f282533bc1fd24ab
SHA1 aecdc2f586cbf922a5a74dea91d6e75bf6f2f712
SHA256 470f51fc83e423ccb69f4726fc63f8d06baea814971929c6b43cebbef6710e0d
SHA512 2ad121bf6ee15136916e90e1fc5519fb9c22cf35ddcea3895d02280962195531bfde3eb8fa7f94a71462f13d8925e45cdb23c81aa413e4f928a00beefcd1a939

\Users\Admin\AppData\Roaming\u6mF4h\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

C:\Users\Admin\AppData\Local\Temp\93237.tmp

MD5 4fd7662cb85daf9fbc0121c453bbd03e
SHA1 e7b6417d15d85b77e253f2b668cc4328f774908c
SHA256 8121911e37ae2e6153af15ea17595f439cbcfdb0accc4575c3002bbca54d35bf
SHA512 481adb6cee402be77574eeaacd123194e308d005b6439187579b7ebc3a917813859c888e52c7cb713c4258845348927a078439607ed83842c45df624d3f5a7b1

C:\Users\Admin\AppData\Local\Temp\x70FRY.cmd

MD5 377d6a8e4506542c4ff30aa96baffddb
SHA1 cbad4f5e41e38a66a187951539e2634a373a376d
SHA256 fada4bf0d8001d2c3ebd9554ea0c0f1e1b4630b3dd0ed6692c30b647bb787758
SHA512 6f2ad7d4abcd14c94eb826f920037d1b939a467653c8c186a75fe09291a3a33d9ccd4318ab381c4ec0c6a4b3645dc6f4702f208d2852404dd3830843f48e2e5b

memory/1176-51-0x0000000140000000-0x0000000140112000-memory.dmp

memory/1176-47-0x0000000077010000-0x0000000077012000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Javhf.lnk

MD5 1d1c354a99589e646f82b9e6bb7e26f0
SHA1 dc008bd81cd27bbee4bc2d90741e58934c43c53b
SHA256 d509cb3009937d040fc07d5c16e66dfd8adc95dfef4b1ac5637db0a57e1513bf
SHA512 2aa37aca069cd10bd1f52bd217c49cafd8d5965effcfa8013fa4c3a5dd2ece68be1fc3b1f280c2ec1c0da215fa3d0238eea58f3f756ad2dcbf42acc1ddc37891

memory/1176-100-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:25

Reported

2024-06-03 22:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "\"C:\\Users\\Admin\\AppData\\Roaming\\gT482P\\bdechangepin.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\9569\GamePanel.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\9569\GamePanel.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\MWwAox1.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 760 N/A N/A C:\Windows\system32\dllhost.exe
PID 3164 wrote to memory of 760 N/A N/A C:\Windows\system32\dllhost.exe
PID 3164 wrote to memory of 912 N/A N/A C:\Windows\system32\cleanmgr.exe
PID 3164 wrote to memory of 912 N/A N/A C:\Windows\system32\cleanmgr.exe
PID 3164 wrote to memory of 3660 N/A N/A C:\Windows\system32\WallpaperHost.exe
PID 3164 wrote to memory of 3660 N/A N/A C:\Windows\system32\WallpaperHost.exe
PID 3164 wrote to memory of 3652 N/A N/A C:\Windows\system32\provtool.exe
PID 3164 wrote to memory of 3652 N/A N/A C:\Windows\system32\provtool.exe
PID 3164 wrote to memory of 2800 N/A N/A C:\Windows\system32\LaunchTM.exe
PID 3164 wrote to memory of 2800 N/A N/A C:\Windows\system32\LaunchTM.exe
PID 3164 wrote to memory of 2616 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3164 wrote to memory of 2616 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3164 wrote to memory of 448 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 448 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 3812 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 3812 N/A N/A C:\Windows\System32\cmd.exe
PID 3812 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3812 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3164 wrote to memory of 4820 N/A N/A C:\Windows\system32\DTUHandler.exe
PID 3164 wrote to memory of 4820 N/A N/A C:\Windows\system32\DTUHandler.exe
PID 3164 wrote to memory of 4136 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3164 wrote to memory of 4136 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3164 wrote to memory of 4292 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 4292 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 3876 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3164 wrote to memory of 3876 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3876 wrote to memory of 4092 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 3876 wrote to memory of 4092 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4092 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4092 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65170ab244bc882ca331aba981b879451cd0e91e27b78494bb5a9d6d97dba0a1.dll,#1

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\cleanmgr.exe

C:\Windows\system32\cleanmgr.exe

C:\Windows\system32\WallpaperHost.exe

C:\Windows\system32\WallpaperHost.exe

C:\Windows\system32\provtool.exe

C:\Windows\system32\provtool.exe

C:\Windows\system32\LaunchTM.exe

C:\Windows\system32\LaunchTM.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rt9B.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"

C:\Windows\system32\DTUHandler.exe

C:\Windows\system32\DTUHandler.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\5dAm9bi.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MWwAox1.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Eofvjgiti" /SC minute /MO 60 /TR "C:\Windows\system32\9569\GamePanel.exe" /RL highest

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3108-0-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3108-1-0x000001D795210000-0x000001D795217000-memory.dmp

memory/3164-3-0x0000000002380000-0x0000000002381000-memory.dmp

memory/3164-5-0x00007FFC0C71A000-0x00007FFC0C71B000-memory.dmp

memory/3108-6-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-22-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-27-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-35-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-34-0x0000000000560000-0x0000000000567000-memory.dmp

memory/3164-26-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-25-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-46-0x00007FFC0E580000-0x00007FFC0E590000-memory.dmp

memory/3164-44-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-24-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-23-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-21-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-20-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-19-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-18-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-17-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-12-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-11-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-10-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-8-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-16-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-15-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-13-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-14-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-9-0x0000000140000000-0x0000000140112000-memory.dmp

memory/3164-7-0x0000000140000000-0x0000000140112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rt9B.cmd

MD5 13b59cf968048ccc46f512c24c7c3f96
SHA1 8d387c1ae5d241d9d42ca5b3b2e54ef84e8bfc0a
SHA256 56f6407a8d87e722b4d67ac7fc023de1591bbb6a05c2e3399abf771417bc649b
SHA512 ca44700dafae7482d3ecf2582ba071914ef97087c48504e3f2a624f22a32d61ecddbc40c100ad62f47e65bfcbe4b4e4eaac46cc5c5dc47ab3ebb5c40c1ddc6f8

C:\Users\Admin\AppData\Local\Temp\H1F3B.tmp

MD5 497e02f8361d1a0f2601a4f87b7dd874
SHA1 879cfce82adc3cb4cb58c717847b7a69fd777481
SHA256 32e4b63cff23718f0b82486fb220584881a45583ffeff132fc607feccd7c8293
SHA512 47320a4a34bc006f7da0e1b7d4ac1d64080404f067cbe5af9debdee97e6634bd5331e91ef713fd19b353fa3b330fc36ab4824ee04811db303795133593614f72

C:\Users\Admin\AppData\Roaming\gT482P\bdechangepin.exe

MD5 601a28eb2d845d729ddd7330cbae6fd6
SHA1 5cf9f6f9135c903d42a7756c638333db8621e642
SHA256 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA512 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

memory/3164-55-0x0000000140000000-0x0000000140112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5dAm9bi.cmd

MD5 ad23f93f258aa0ed654a4530d592d38c
SHA1 588a722136ac1e888a6361b97ac8d0127175c09a
SHA256 16f3f71e5c95ac552073aa290547b07e46a9654727c379708038a758f15d34db
SHA512 b46af54ae7028cc1ff15c1e34788ba5f27bfb2d5a36d92abf4043e3e462a580f23202e06c606fde75360e6a00648bb7814ac1f046c41616d43f1ee39e2c59887

C:\Users\Admin\AppData\Local\Temp\r27F6.tmp

MD5 11b756f01a2bf09165ee1a6636318c20
SHA1 9570ce74fc951d7c4521d0787c1b5a640f21ec80
SHA256 c5f30dfe2846d725d768a84bb3aad7610616c94d4ce4f4a5451f3ee847254190
SHA512 db2db09e5839d47d2d085ed6157dd8e0c31710b3ea21794855aa444c23d101135c2284b61e7047bd90c0413983f87340cad474006c641ca88aaddedc122e3eaa

C:\Users\Admin\AppData\Local\Temp\MWwAox1.cmd

MD5 3071ff351ca6198e1a1a01b9692f3345
SHA1 0fece473ba23f22fdd303d7dd92a80c40515b5af
SHA256 323547a4e220a0a432b50d0608abaa28bcb081ff93bd43974f0dbd7b89a40b2b
SHA512 0d3cf2dd13db55512cda2c7165ca02c3c7407c2519ef00a881092a9562a775482491fae4a52e275b3177f6162f8491e5714517bdb8c0321c11c3f3d77dae147d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xcdbzlxvqxxhz.lnk

MD5 a82fe305e7fae5d7d90f8f0e55a265eb
SHA1 ac3b820fb4bbd2d201f12e2b9ac14a5c7788202c
SHA256 809ed4b95cae66a0f551c1b5bab76c36cb40a1e7912d051ed800de543df16b25
SHA512 f1fbe72ba88d81b9b581c0f5110187ab4a747f2dd5f3aa629ddac101dac2312b8ad3903d090059d8f65854b92c7d82187e5f9a0e4834cc9d4b18989e202edc7c