Malware Analysis Report

2025-03-14 23:55

Sample ID 240603-f418rada81
Target f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15
SHA256 f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15
Tags
persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15

Threat Level: Likely malicious

The file f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Detects Windows executables referencing non-Windows User-Agents

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:26

Reported

2024-06-03 05:28

Platform

win7-20240508-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "\"C:\\Users\\Admin\\AppData\\Roaming\\rdBN51n\\dccw.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\9430\WFS.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\9430\WFS.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\LPWr5o.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\MSCFile\shell N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2540 N/A N/A C:\Windows\system32\dccw.exe
PID 1232 wrote to memory of 2540 N/A N/A C:\Windows\system32\dccw.exe
PID 1232 wrote to memory of 2540 N/A N/A C:\Windows\system32\dccw.exe
PID 1232 wrote to memory of 1252 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 1252 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 1252 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2552 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2552 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2552 N/A N/A C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2552 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2552 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1232 wrote to memory of 3036 N/A N/A C:\Windows\system32\WFS.exe
PID 1232 wrote to memory of 3036 N/A N/A C:\Windows\system32\WFS.exe
PID 1232 wrote to memory of 3036 N/A N/A C:\Windows\system32\WFS.exe
PID 1232 wrote to memory of 2284 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2284 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2284 N/A N/A C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 2596 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1232 wrote to memory of 2596 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1232 wrote to memory of 2596 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2596 wrote to memory of 2840 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2840 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2840 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2840 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2840 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\KDvqv0.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1kxDDdc.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LPWr5o.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Rkbail" /SC minute /MO 60 /TR "C:\Windows\system32\9430\WFS.exe" /RL highest

Network

N/A

Files

memory/2108-0-0x0000000140000000-0x0000000140105000-memory.dmp

memory/2108-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1232-3-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1232-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2108-6-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-8-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-7-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-9-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-25-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-33-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-34-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

memory/1232-26-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-24-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-23-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-22-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-21-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-20-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-19-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-18-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-17-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-16-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-37-0x00000000777D1000-0x00000000777D2000-memory.dmp

memory/1232-15-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-14-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-13-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-12-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-11-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-10-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-44-0x0000000140000000-0x0000000140105000-memory.dmp

memory/1232-49-0x0000000077930000-0x0000000077932000-memory.dmp

memory/1232-50-0x0000000140000000-0x0000000140105000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KDvqv0.cmd

MD5 3b6071220812d30eaba369fcfd49a9b4
SHA1 b5953b8e3324ebcbe483315e639b5a9d02636484
SHA256 38ac44b727095c75f4f1948721c911c4abe002270caaed8052bec3940f5ce888
SHA512 e5d0cbb5513cbdd1b14acdf54a2e6b46d19785ffdfff97bcf633f7912d43d2181f33141f34b2513f28b7258a8b78ce9dc62fff3fb83a2fd66743fd55a73253cc

C:\Users\Admin\AppData\Local\Temp\Hz317C.tmp

MD5 99073021600b9cf6ff57c76bd062ef7d
SHA1 3a33f8dcfeb656d6aa74dc99b7e0ebc171eae8ae
SHA256 bd3e54dd54dcdd2e776fca2a87958208d19aa874641ecad3c9eb4cc9b6c028b9
SHA512 8e2d4cded46384095f64827c33f22c38c0062d42273925f38411e16343535056452e541589100610c4830d747f72192b69179bd983e4a85d498b31247113db16

C:\Users\Admin\AppData\Roaming\rdBN51n\dccw.exe

MD5 a46cee731351eb4146db8e8a63a5c520
SHA1 8ea441e4a77642e12987ac842b36034230edd731
SHA256 283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA512 3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

C:\Users\Admin\AppData\Local\Temp\1kxDDdc.cmd

MD5 722de24f8d34fbe349a508c916ee76b9
SHA1 302532fb1277a56081191082a3a0944c48762c9a
SHA256 3530c784d8eef7b6c83cbf6b3f873eedd3df8eaa3b825900a4f38537f38c7a36
SHA512 0dbaa11597f6e426a0edce2d51eb2bcb6bde74561f13eaed7b4e242d7d426986bedd693424d36502e281ad13196f9738c4ad5e728ffc931b4092b647af3e7363

C:\Users\Admin\AppData\Local\Temp\XO3332.tmp

MD5 39de3dbe50e56d5ca7bfa77a66d99a7f
SHA1 f713473f0956904f9a12bcfb10be142c24531780
SHA256 7fc308ae87c79d6c22732cb0a6602ae3ea450860d83c488db068733c0fc5a442
SHA512 bc8a786baed12c6b554c2f76fac138209839ef7a8167ef37b50a226c1c5f070347ff6320b6df4238f52391f6ac8f4b8bd45c368fc6d2d7341b00fea0bb96bc4d

C:\Users\Admin\AppData\Local\Temp\LPWr5o.cmd

MD5 927e4d338107109edbd97ecd590b0185
SHA1 9cab29d7a3a63494897f8040d40cdcc167087fa1
SHA256 d05a756b06fa7ff8ce506e6624f6c0122e9d9fe6ee6c256276bf804111bd91aa
SHA512 bbfac085c7af3947c75b714c18330be79ebff59b896e21d174eac7371bdb2a3a25f0f60a6b63461eb7ce5215accc3dceaffcda9b9ed82eb5c069ac010c4fb87a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mqdbvnnwgmqj.lnk

MD5 56f8cc06d7ee62c67a04020454dee30b
SHA1 f8819e82a4ba547cd18b8958de50b894fae3b847
SHA256 a88fad3630b96cba48fbaca333c9d419a2495b1642bec042b7dd3c53220b7309
SHA512 c6136642168357efd823dc969160300dd04a4c221fdd6db897ce7de45be7c1ed16f4c79a16d296c32fa0078ac2eef438828e739744eb39dc9997fd8825d1f76f

memory/1232-98-0x00000000776C6000-0x00000000776C7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:26

Reported

2024-06-03 05:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Pm7qq7J\\ie4uinit.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\6791\ie4ushowIE.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\6791\ie4ushowIE.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\HMho.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 760 N/A N/A C:\Windows\system32\ctfmon.exe
PID 3164 wrote to memory of 760 N/A N/A C:\Windows\system32\ctfmon.exe
PID 3164 wrote to memory of 912 N/A N/A C:\Windows\system32\cleanmgr.exe
PID 3164 wrote to memory of 912 N/A N/A C:\Windows\system32\cleanmgr.exe
PID 3164 wrote to memory of 3660 N/A N/A C:\Windows\system32\wsqmcons.exe
PID 3164 wrote to memory of 3660 N/A N/A C:\Windows\system32\wsqmcons.exe
PID 3164 wrote to memory of 3652 N/A N/A C:\Windows\system32\audiodg.exe
PID 3164 wrote to memory of 3652 N/A N/A C:\Windows\system32\audiodg.exe
PID 3164 wrote to memory of 2800 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3164 wrote to memory of 2800 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3164 wrote to memory of 4928 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 4928 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 4028 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 4028 N/A N/A C:\Windows\System32\cmd.exe
PID 4028 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4028 wrote to memory of 2524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3164 wrote to memory of 2660 N/A N/A C:\Windows\system32\ResetEngine.exe
PID 3164 wrote to memory of 2660 N/A N/A C:\Windows\system32\ResetEngine.exe
PID 3164 wrote to memory of 2932 N/A N/A C:\Windows\system32\DsmUserTask.exe
PID 3164 wrote to memory of 2932 N/A N/A C:\Windows\system32\DsmUserTask.exe
PID 3164 wrote to memory of 776 N/A N/A C:\Windows\system32\iscsicpl.exe
PID 3164 wrote to memory of 776 N/A N/A C:\Windows\system32\iscsicpl.exe
PID 3164 wrote to memory of 2220 N/A N/A C:\Windows\system32\RemotePosWorker.exe
PID 3164 wrote to memory of 2220 N/A N/A C:\Windows\system32\RemotePosWorker.exe
PID 3164 wrote to memory of 3992 N/A N/A C:\Windows\system32\MDMAgent.exe
PID 3164 wrote to memory of 3992 N/A N/A C:\Windows\system32\MDMAgent.exe
PID 3164 wrote to memory of 3720 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3164 wrote to memory of 3720 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3164 wrote to memory of 684 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 684 N/A N/A C:\Windows\System32\cmd.exe
PID 3164 wrote to memory of 4368 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3164 wrote to memory of 4368 N/A N/A C:\Windows\System32\fodhelper.exe
PID 4368 wrote to memory of 4668 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 4668 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4668 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4668 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0d489c7e53b8e804a263c537ac51b70854b070ef08a9ad3d4e04a4a0f158f15.dll,#1

C:\Windows\system32\ctfmon.exe

C:\Windows\system32\ctfmon.exe

C:\Windows\system32\cleanmgr.exe

C:\Windows\system32\cleanmgr.exe

C:\Windows\system32\wsqmcons.exe

C:\Windows\system32\wsqmcons.exe

C:\Windows\system32\audiodg.exe

C:\Windows\system32\audiodg.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HLc.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2876edf9-11ce-6726-5bde-f751084e1399}"

C:\Windows\system32\ResetEngine.exe

C:\Windows\system32\ResetEngine.exe

C:\Windows\system32\DsmUserTask.exe

C:\Windows\system32\DsmUserTask.exe

C:\Windows\system32\iscsicpl.exe

C:\Windows\system32\iscsicpl.exe

C:\Windows\system32\RemotePosWorker.exe

C:\Windows\system32\RemotePosWorker.exe

C:\Windows\system32\MDMAgent.exe

C:\Windows\system32\MDMAgent.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\atUBD.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HMho.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Eofvjgiti" /SC minute /MO 60 /TR "C:\Windows\system32\6791\ie4ushowIE.exe" /RL highest

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2384-0-0x0000024525F50000-0x0000024525F57000-memory.dmp

memory/2384-1-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-3-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/3164-5-0x00007FFC0C71A000-0x00007FFC0C71B000-memory.dmp

memory/2384-6-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-14-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-17-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-33-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-26-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-25-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-24-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-23-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-22-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-20-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-19-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-34-0x0000000000560000-0x0000000000567000-memory.dmp

memory/3164-16-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-15-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-13-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-12-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-18-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-46-0x00007FFC0E580000-0x00007FFC0E590000-memory.dmp

memory/3164-43-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-11-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-10-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-21-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-9-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-8-0x0000000140000000-0x0000000140105000-memory.dmp

memory/3164-7-0x0000000140000000-0x0000000140105000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HLc.cmd

MD5 adf18cdccd22c551815e21062c8e0534
SHA1 5152f9663b0b156d2644cf4ee61f9d8e7230b902
SHA256 c90cc099d8efbee8ac25fc67e8dc90137cc76f9ba82197d168bc418bbde6d1fd
SHA512 61036bb240ddada5aeb6972a5124ba418d18364a243f14cc460339de554050b98324aa0b0c2f3ff0dbc597e02f7bb848d75da8c972a6fb6de9279c8654e48c22

C:\Users\Admin\AppData\Local\Temp\hsR1D09.tmp

MD5 7eb5790fa20c1ae222adf004c2f9cdf4
SHA1 78c80e1b4d349eb17a14cf3e20744714f7906f4d
SHA256 2a811f25128f8445e34c569f4549989d4858d00389502f0aa7c744bae634c28a
SHA512 22f8c84630af7bf0ba66122304e130d8e3f3f6d726acd6a57776db479d5293738d98e2f505626eaa3c356537c01b96adb81155a62a12fc59859abf3438ce21f4

C:\Users\Admin\AppData\Roaming\Pm7qq7J\ie4uinit.exe

MD5 a2f0104edd80ca2c24c24356d5eacc4f
SHA1 8269b9fd9231f04ed47419bd565c69dc677fab56
SHA256 5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512 e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

memory/3164-54-0x0000000140000000-0x0000000140105000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\atUBD.cmd

MD5 bed18e2a9e7d56b8022e3dbb3aab2417
SHA1 76bdeebd59059723663181fe0831c60b77d6012d
SHA256 36842ea7effd6722f01380fd530d274bc21f28c9a9d1bafab0194e6bdc3f834f
SHA512 3c3e113e5cd1308b4d0d96984e7db9dedc491ced822f67ec31f490b0b564d0c6e1daf842c65275df88eaeaf3f8e26985da1fd1ef7b4b4d20691a3f74500488ca

C:\Users\Admin\AppData\Local\Temp\02314.tmp

MD5 82638df3bd62eb59e65beddc9f8ddf04
SHA1 800fb063547fa893c49fa0b7261ac1c4c8ec1954
SHA256 dafb94daee7119edf294f500a93884f85f8132dc1d32dd36ffa07d46e1af9da0
SHA512 c788e366e67278c65f53e5c27a1745b4fffc51e596e91558c1fbf3a524f4407a7445f8fec933eddff82bc1dcc16c2acdc4069c9e20a1aef2a9dcb185a9a7e172

C:\Users\Admin\AppData\Local\Temp\HMho.cmd

MD5 9a3f36f4c543ab4f9b35bbadacfb6781
SHA1 b49cfd67b4c67c29c7955829d14be151ea40dcb1
SHA256 be04b5931b73c2194c189a93418938981ce79b9d0c00d97a12b55debeeba35b5
SHA512 5c8acc9c38c97e5b5d68813178b43b5b2302aa70fdab087dcf69ce7f69fdc1880fb90da99989d964e13abd257b98982e20b571acca660fd307f64a82bbc3b06f

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xcdbzlxvqxxhz.lnk

MD5 4696b0f11644a0364e387276f552c6ff
SHA1 9dd1462319c8926d49b919c9651a59cfec41fe40
SHA256 39e1a68ea4d929f3e64de9a305115f8eabfed51710f34c7bc08fdee5381577e2
SHA512 4673d5f0af5a03fcde841fa9fa25e4fe05392b32e258a87422c9ed1fb5d7f8cbb24c9f8c83c925a6c96aed1e7f5e651fea23371be052595777f2eba8b998e312