Malware Analysis Report

2025-01-06 08:56

Sample ID 240604-axv59seh8v
Target 9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34
SHA256 9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34

Threat Level: Known bad

The file 9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visiblity of hidden/system files in Explorer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:35

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:35

Reported

2024-06-04 00:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 1728 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 1728 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 1728 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 2884 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 3028 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3028 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3028 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2884 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2884 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2656 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2560 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2008 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2008 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2008 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2008 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 432 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 432 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 432 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 432 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe

"C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:38 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:39 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:40 /f

Network

N/A

Files

memory/1728-57-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3028-56-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2548-54-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f4effff33b5d7d43c9838466c8c1c9aa
SHA1 ddbe0c1309e63d839c7a7c266b7c90fd9ca8d609
SHA256 e7e2beb931f25365ecc1650f94490bdb20934983d50274def475baff83f626f2
SHA512 f8baf359cbb366df04e4e409d2d59aeb1b961ffb592ca340a446920edaaaa33a4c054f8122b5de4869e0034c2684ffd4f7813a36b91e3e205392db047caf2be8

\??\c:\windows\resources\svchost.exe

MD5 1b7ed222c8d94f8c708b1a253be5ee4a
SHA1 67078dd40641db4aed2bb864c149ce737c5f909a
SHA256 9bfda10129ab4885f82e147382c0219adb6048a7e2d682f7302a0394d88de749
SHA512 998302f5bd11c7bfe2ad0d305aebca27718f832fe688537795e2a4736c46b793102a4fd7e66408254c6d352d81c05e74a485aee0f4f660541ee4b26f35f551b4

memory/3028-43-0x00000000002C0000-0x00000000002E2000-memory.dmp

memory/2884-29-0x0000000000260000-0x0000000000282000-memory.dmp

\??\c:\windows\resources\themes\explorer.exe

MD5 301ba6945f02398345678284d8604fbc
SHA1 aadc20fd55eb50714f45680e6c3c87b0f5d50167
SHA256 70eada70a7e9ea65749540208e19443d45cdf3dd48d00fff63344c3ef6cd7258
SHA512 d3a367ad1076f7aa6ec4d09fe605700ea275dcb78f175104c48651ce6ed908c94457f52961f9c480ad613cb488fa820b4200071a6b2fcbf0335e694bf1d09d45

memory/1728-12-0x0000000000280000-0x00000000002A2000-memory.dmp

memory/2884-15-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1728-13-0x0000000000280000-0x00000000002A2000-memory.dmp

memory/1728-0-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2884-58-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2656-59-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2884-68-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:35

Reported

2024-06-04 00:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 2788 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 2788 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe \??\c:\windows\resources\themes\explorer.exe
PID 1404 wrote to memory of 3096 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1404 wrote to memory of 3096 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1404 wrote to memory of 3096 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3096 wrote to memory of 4964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3096 wrote to memory of 4964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3096 wrote to memory of 4964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4964 wrote to memory of 2388 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4964 wrote to memory of 2388 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4964 wrote to memory of 2388 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe

"C:\Users\Admin\AppData\Local\Temp\9a0521003ca31bafa42375862c38ab408ee579950ae9a918ec683b02ad6aee34.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/2788-0-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 a5240f9bf961f57264e4e5b147764132
SHA1 5cd2ac172da4b2ad001a3f1e184ae044f08f36c7
SHA256 553a4f4f7fd07e12131d71cc0273cfac06b3c1b63daa8b89b0971438d19e748a
SHA512 7290b8468d97e23abd6225bb0890f63e7598691a4472c1eda021dc9bbd973e3f0e25ad4d643b2b9fa21e31746a3f4eada8c324bb06bee4111d825cdf913e189f

memory/1404-9-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 3c58f059f6e667fc26ab76f06894cd47
SHA1 8d8074bcc60d11b26159b97fe356b7c24e34b7b6
SHA256 dc783f671d1eacd9a734a6607952f40289bf277ab7fe4c86077de53120a113ce
SHA512 e88aebe3b5d17d6005a52a83aafd89a260b16621034e98cfdcfbe6066963cd5328e3cc17c0d13249ed2514f0e443f55903a589efbb6b4916e0256bf36398a57c

C:\Windows\Resources\svchost.exe

MD5 0fc7ec30c1dcfe4c4df9e9cdde4c22e9
SHA1 6f5d23f4d9e19afaf8dcb74e79026384a392e8dd
SHA256 8357385cb8ca3bc8d8e8cfe1cf097823ea48a78608aa606e2bd7c5a153e996e9
SHA512 300b234370cb116d61246c8b2d6cc705b4826d7d936e377e8c1192f9ec573357d0f8d9fabe3a7f4ad4b8ac4e5858b735268bd06381e6680c87b530f010c71530

memory/2388-34-0x0000000000400000-0x0000000000422000-memory.dmp

memory/3096-36-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2788-37-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1404-38-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4964-39-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1404-48-0x0000000000400000-0x0000000000422000-memory.dmp