Analysis Overview
SHA256
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce
Threat Level: Shows suspicious behavior
The file e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:05
Reported
2024-06-03 05:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "\"C:\\Users\\Admin\\AppData\\Roaming\\LRknwnN\\BitLockerWizard.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\5126\SndVol.exe | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\system32\5126\SndVol.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\6py.cmd" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3500 wrote to memory of 3812 | N/A | N/A | C:\Windows\system32\TSTheme.exe |
| PID 3500 wrote to memory of 3812 | N/A | N/A | C:\Windows\system32\TSTheme.exe |
| PID 3500 wrote to memory of 5108 | N/A | N/A | C:\Windows\system32\RmClient.exe |
| PID 3500 wrote to memory of 5108 | N/A | N/A | C:\Windows\system32\RmClient.exe |
| PID 3500 wrote to memory of 2716 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 3500 wrote to memory of 2716 | N/A | N/A | C:\Windows\system32\BitLockerWizard.exe |
| PID 3500 wrote to memory of 5104 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3500 wrote to memory of 5104 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3500 wrote to memory of 728 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3500 wrote to memory of 728 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 728 wrote to memory of 3112 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 728 wrote to memory of 3112 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3500 wrote to memory of 716 | N/A | N/A | C:\Windows\system32\UIMgrBroker.exe |
| PID 3500 wrote to memory of 716 | N/A | N/A | C:\Windows\system32\UIMgrBroker.exe |
| PID 3500 wrote to memory of 3836 | N/A | N/A | C:\Windows\system32\SndVol.exe |
| PID 3500 wrote to memory of 3836 | N/A | N/A | C:\Windows\system32\SndVol.exe |
| PID 3500 wrote to memory of 3192 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3500 wrote to memory of 3192 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3500 wrote to memory of 4732 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3500 wrote to memory of 4732 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 4732 wrote to memory of 3512 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 4732 wrote to memory of 3512 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 3512 wrote to memory of 4892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3512 wrote to memory of 4892 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1
C:\Windows\system32\TSTheme.exe
C:\Windows\system32\TSTheme.exe
C:\Windows\system32\RmClient.exe
C:\Windows\system32\RmClient.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
C:\Windows\system32\UIMgrBroker.exe
C:\Windows\system32\UIMgrBroker.exe
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6py.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\5126\SndVol.exe" /RL highest
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4796-0-0x0000000140000000-0x0000000140083000-memory.dmp
memory/4796-2-0x000002368D9E0000-0x000002368D9E7000-memory.dmp
memory/3500-3-0x0000000000710000-0x0000000000711000-memory.dmp
memory/3500-6-0x00007FFAF74EA000-0x00007FFAF74EB000-memory.dmp
memory/4796-5-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-7-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-23-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-34-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-46-0x00007FFAF8000000-0x00007FFAF8010000-memory.dmp
memory/3500-44-0x0000000140000000-0x0000000140083000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6py.cmd
| MD5 | d3e52e132cec5afee05e3a822cdee50b |
| SHA1 | 38109f39817cc95e6e245929032428e4c51b1a67 |
| SHA256 | 39522953cea12991cc7f26327bb77dfc53579c1b9acf2ddb4322d5787693d056 |
| SHA512 | 6732fa9b3250a59770d9e2bf942b77a540a9a6d75bf51e82157eae198422e435afec7ca2f903f1049535fee62ce0e752101c55d68402e0d894c2d8b414c18346 |
C:\Users\Admin\AppData\Local\Temp\htr5843.tmp
| MD5 | 1d649482fce95f3b8e05e8b1098692ee |
| SHA1 | a8125d02e3965972bebc9a01fb227849cd140e06 |
| SHA256 | 55b4c4727f2d7118fa951b8502fc517914ca37f8aabce1ff8d51d52adfc76a8c |
| SHA512 | 306de546a12e90b4532053e1c432e8dc6b54d5e36db1152bb47f5954d2b626748bbe56fd0dc7044f263aab461e91a29313a8a0c684410bab6e0ed31cdac11418 |
C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd
| MD5 | a19de6e6dd8fa90f757f4d06c37954e9 |
| SHA1 | e210e4814d36b044a5fb8be6399fb34112d646ea |
| SHA256 | c0102fa98fbe242501707b3a5fda266a58b2a26990ab61ee23514768cf4c45d5 |
| SHA512 | d93d98f64c728f539fa5cbfe2d3f6808c4aeccd279fc88466f13d7ca4d75e920d1591a769e26ae7148f19e71c07c86dcbd9986df68c5b2018f3eaa6b02b6f865 |
memory/3500-55-0x0000000140000000-0x0000000140083000-memory.dmp
C:\Users\Admin\AppData\Roaming\LRknwnN\BitLockerWizard.exe
| MD5 | 6d30c96f29f64b34bc98e4c81d9b0ee8 |
| SHA1 | 4a3adc355f02b9c69bdbe391bfb01469dee15cf0 |
| SHA256 | 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74 |
| SHA512 | 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8 |
C:\Users\Admin\AppData\Local\Temp\0t65767.tmp
| MD5 | 517fb5c637eb9e0a53926998b85bde8e |
| SHA1 | 574e81f3cb2f37aee2087bbe75c33f81779a9128 |
| SHA256 | 91c9d56d48d6d35d668e74c17a7d2a1d88b96e18ac449d908dfdc75fc8206b1d |
| SHA512 | 19962b4db4705504e30a130a4cfb6f7c9b891f76ac9854baa1f1471a3ad739d4477d94016953b4b824842f59a653c34f5f575ba9e080e70d0b7bf1cc1780572e |
C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd
| MD5 | 9021153768c640924ae5b4b52031ec1d |
| SHA1 | 9dd2f3b6a1978eec40bccf4907d5cd5b81bf0ee2 |
| SHA256 | 4cf58101e9fb8e74e4eda0677817c8533f18f4236950b9b0cf5797aeba3d6fef |
| SHA512 | 206ea3608aa812753da152b34f8ff1f90d526b015a166d893d78839b0045db223051a357b64a7654e36d42c7cb246744e46e1e238f652e61c6214c62da3c914f |
memory/3500-38-0x00000000006B0000-0x00000000006B7000-memory.dmp
memory/3500-27-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-26-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-25-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-24-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-22-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-21-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-20-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-19-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-18-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-17-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-16-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-15-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-14-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-13-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-12-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-11-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-10-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-9-0x0000000140000000-0x0000000140083000-memory.dmp
memory/3500-8-0x0000000140000000-0x0000000140083000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk
| MD5 | 7cd24dd1ebdc7a33d895df24f5035b97 |
| SHA1 | b40b1a64c064327f4c91a110ee41d961837e5e03 |
| SHA256 | fc8acba1e93ba688cac803a9374e3cf50480b154d3df0266662d08449781c448 |
| SHA512 | faf49e99a5a9e416b3f12fd264554a546752ed33bcfedc3f6c26abe24fb53ea6884e58d531f202f99cdca186cc338736fbbbc4333e1d341bb9199fa67c13faa7 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:05
Reported
2024-06-03 05:08
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\usve2sZ\\StikyNot.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\2073\BdeUISrv.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\2073\BdeUISrv.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\G5SUW.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 2716 | N/A | N/A | C:\Windows\system32\LogonUI.exe |
| PID 1224 wrote to memory of 2716 | N/A | N/A | C:\Windows\system32\LogonUI.exe |
| PID 1224 wrote to memory of 2716 | N/A | N/A | C:\Windows\system32\LogonUI.exe |
| PID 1224 wrote to memory of 2664 | N/A | N/A | C:\Windows\system32\StikyNot.exe |
| PID 1224 wrote to memory of 2664 | N/A | N/A | C:\Windows\system32\StikyNot.exe |
| PID 1224 wrote to memory of 2664 | N/A | N/A | C:\Windows\system32\StikyNot.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2468 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2468 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2468 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2468 wrote to memory of 2952 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2468 wrote to memory of 2952 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2468 wrote to memory of 2952 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1224 wrote to memory of 2484 | N/A | N/A | C:\Windows\system32\sdchange.exe |
| PID 1224 wrote to memory of 2484 | N/A | N/A | C:\Windows\system32\sdchange.exe |
| PID 1224 wrote to memory of 2484 | N/A | N/A | C:\Windows\system32\sdchange.exe |
| PID 1224 wrote to memory of 2120 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1224 wrote to memory of 2120 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1224 wrote to memory of 2120 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1224 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2596 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1224 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1224 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1224 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 2688 wrote to memory of 2696 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2688 wrote to memory of 2696 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2688 wrote to memory of 2696 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2696 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2696 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2696 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RC8.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
C:\Windows\system32\sdchange.exe
C:\Windows\system32\sdchange.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\2073\BdeUISrv.exe" /RL highest
Network
Files
memory/2224-1-0x0000000140000000-0x0000000140083000-memory.dmp
memory/2224-2-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1224-3-0x0000000077316000-0x0000000077317000-memory.dmp
memory/1224-4-0x0000000002990000-0x0000000002991000-memory.dmp
memory/2224-6-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-7-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-10-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-8-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-16-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-35-0x0000000002970000-0x0000000002977000-memory.dmp
memory/1224-34-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-27-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-26-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-25-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-24-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-36-0x0000000077421000-0x0000000077422000-memory.dmp
memory/1224-23-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-22-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-21-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-20-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-19-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-18-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-17-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-15-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-14-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-13-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-12-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-11-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-9-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-51-0x0000000140000000-0x0000000140083000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\y3B5B.tmp
| MD5 | decfafbb276f47b9b1ea8ccae6ff43a8 |
| SHA1 | 091747ddd6b00f06e3a815638b319972406f8154 |
| SHA256 | d12de875acfddbf80ee07e71fbf42fb3003ff437cea09d7a3998323290431016 |
| SHA512 | ab25f3f95be30e718ebd312c866b47bbec18eff0fc78a9693397afb999269209c863e7f8f1c7ef8500fcc5df0ebc2792051811e33214695c3dd9f31ba8169758 |
\Users\Admin\AppData\Roaming\usve2sZ\StikyNot.exe
| MD5 | b22cb67919ebad88b0e8bb9cda446010 |
| SHA1 | 423a794d26d96d9f812d76d75fa89bffdc07d468 |
| SHA256 | 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128 |
| SHA512 | f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5 |
C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd
| MD5 | bb3148182c7237b0f0bbd186ea78fab9 |
| SHA1 | 2774e9b54d60f4934a750722e875aa2149e45c7c |
| SHA256 | 2ac8cef263ca229c029894e027fa1d2d7ba4c51dd5012890483f4be3be31a796 |
| SHA512 | 03c9caeb65c35bf2dcf086b7a71be744eb6c09f9dd43b27418de62eb8f237b0dfa0204ded934a27d188ddf7cef141d578c254fdde41a1ed9408fcc0433aef283 |
C:\Users\Admin\AppData\Local\Temp\s5M3BD9.tmp
| MD5 | 1e7a71b520031d49587eaef20b7353d0 |
| SHA1 | e86b305cef93ad980beb5ca3f12ea01b62220284 |
| SHA256 | e4e37d75838769df23777167adc785709f8c35e874d8b06fb0b47efdc787ec0e |
| SHA512 | 1d624249ad72ccf04c163456099b4158a900248cf966cd713d685e0c3fe43ea7da864fdc7f4f3dd3f78840dafac52a53e408d515510b2fbab85c779e3d660f37 |
C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd
| MD5 | 85f8df5de710b5ce098bf386926ff594 |
| SHA1 | a0203e6480c9d66396cd8228804b66e4cbe260ab |
| SHA256 | 6ed6bfdbfbd105c21f8ddbf8de2b50f94785e634b55d8be7136f3ffea17d141b |
| SHA512 | aa913d09683e1c5bb7bb53fbab74fc2f483e15bcb81de534b0f116ec6487b53764034e90220fdf12d5cb461eb4d10ef7743055c7350d41e7062c7dad965036db |
C:\Users\Admin\AppData\Local\Temp\RC8.cmd
| MD5 | 4be5f38252f91de9bb27a470159930d7 |
| SHA1 | 014666fc72328efeee6078ac40a074b89b09e0e5 |
| SHA256 | afeff5488c66fa5ff7697f7b00229e02bd98aa35c08ca3c55c276344961dfce9 |
| SHA512 | 96df2ebb722aacbd3cb675ab7a29d34625b2ebc8b3669b93d60e072058fc8f9bc2e9d63fbd64404dec55d8050a0f2a5e7f4ad6cc01884c26e341a0a2917e8af5 |
memory/1224-50-0x0000000077580000-0x0000000077582000-memory.dmp
memory/1224-49-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-48-0x0000000140000000-0x0000000140083000-memory.dmp
memory/1224-45-0x0000000140000000-0x0000000140083000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yyeybzteybdsbj.lnk
| MD5 | 3730745838ccd1c5ad3eca8d44273a05 |
| SHA1 | 91a33fc7aa1329ba37bc0d5c58c76c636df588a7 |
| SHA256 | 33cace0c94d7db518eb56d3b5dcff61048998affcf3068a87bd1e9912483555d |
| SHA512 | 913461c52502872e0553566fac13a70869286aec593abb738589b82c117f6c7e018bc129e4a81a222e6db48d27532875e44c7d572cdd7d615613b7cec8477111 |
memory/1224-100-0x0000000077316000-0x0000000077317000-memory.dmp