Malware Analysis Report

2024-07-28 11:05

Sample ID 240626-cc9t2axgpd
Target 2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6
SHA256 2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6
Tags
oss_ak bootkit persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6

Threat Level: Likely malicious

The file 2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6 was found to be: Likely malicious.

Malicious Activity Summary

oss_ak bootkit persistence

detect oss ak

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:57

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:57

Reported

2024-06-26 01:59

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\G: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\T: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\O: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\U: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\V: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\M: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\J: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\S: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\I: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\H: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\K: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\svchost.exe N/A
File opened (read-only) \??\E: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\svchost.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2616 set thread context of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\wmplayer\LSML\ C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer\ C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer\LSML\PZ.w C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RECYCLE.BIN C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Windows\RECYCLE.BIN C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened for modification C:\Windows\RECYCLE.BIN C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 2232 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 2616 wrote to memory of 2692 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

"C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /delete /tn WindowsMediaPlayer /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /tn WindowsMediaPlayer /f

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe

"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp
US 8.8.8.8:53 whois.pconline.com.cn udp

Files

\Program Files\Windows Media Player\wmplayer\wmplayer.exe

MD5 785124e9e0ab753f092765d87db2e6c5
SHA1 134dc470100b161a9d532608525d81a7e4abb671
SHA256 8c597cb6a277c0a0527bf287cb1612ab8a70df4b938603eaaf3f404bbd90d336
SHA512 bf48d9cb3179c4aa1a2d91798c22a58532f31d36194a52c195aa138773e97359e07d82c3679547e299f10a4dc261712a9ee1c8c8e51037c63251dc00d713477b

memory/2692-18-0x0000000000400000-0x00000000007CA000-memory.dmp

C:\Windows\RECYCLE.BIN

MD5 d80c93252b25b8d1b73c3c33d829e272
SHA1 e90ed95a08585b71f9f22b46d2bfb4d2ce13edc7
SHA256 0fd4ff0abffd1dc281bdfeac46df6a48dfc0cb7ed129726eb1abba5a2987447c
SHA512 a362a3338676ddb8b05e226ab6026759d25331dc7ab528e6e852dc1a84a09a6eeb73d5c6a731cc2428d491654cb381b2b81320bdc361ad033db0a4a70fb8c911

memory/2692-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2692-20-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-42-0x0000000000400000-0x00000000007CA000-memory.dmp

C:\Windows\RECYCLE.BIN

MD5 ef0eb3bf0176e59ed7025e27e1a07d81
SHA1 bc00ff141dd12ce60ee2e1b3b115700ea4bfcdff
SHA256 0c97abe8babae040749aed28eb33743e608e9f20cae5d27304501ed630969772
SHA512 4de1cef3b6a0f2cb938ebe51145884e9825ad7becafc0b50ab8ab76ed3c52d5845df21da54feddec3d7faf0afac4d303ab7e946bb9b772bd9d76b2b9082fef68

memory/2692-29-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-26-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-25-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-22-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-19-0x0000000000400000-0x00000000007CA000-memory.dmp

memory/2692-43-0x0000000000400000-0x00000000007CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 01:57

Reported

2024-06-26 01:59

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\B: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\K: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\I: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\R: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\H: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\X: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\G: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\A: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\wmplayer\LSML\ C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer\ C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmplayer\LSML\PZ.w C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RECYCLE.BIN C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
File opened for modification C:\Windows\RECYCLE.BIN C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 4640 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 4640 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
PID 4640 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4012 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4012 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4640 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 3676 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3676 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3676 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4640 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 4640 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 4640 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
PID 3764 wrote to memory of 944 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 944 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 944 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3432 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3432 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3432 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1636 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1636 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1636 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 2784 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 2784 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 2784 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4592 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4592 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 4592 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3108 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3108 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3108 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 3448 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1800 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1800 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1800 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1960 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1960 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe
PID 3764 wrote to memory of 1960 N/A C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

"C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /delete /tn WindowsMediaPlayer /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /tn WindowsMediaPlayer /f

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe

"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 whois.pconline.com.cn udp
CN 14.29.101.168:80 whois.pconline.com.cn tcp
CN 14.29.101.160:80 whois.pconline.com.cn tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 14.29.101.169:80 whois.pconline.com.cn tcp
CN 14.29.101.168:80 whois.pconline.com.cn tcp
CN 14.29.101.160:80 whois.pconline.com.cn tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
CN 14.29.101.169:80 whois.pconline.com.cn tcp
CN 14.29.101.168:80 whois.pconline.com.cn tcp

Files

C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe

MD5 785124e9e0ab753f092765d87db2e6c5
SHA1 134dc470100b161a9d532608525d81a7e4abb671
SHA256 8c597cb6a277c0a0527bf287cb1612ab8a70df4b938603eaaf3f404bbd90d336
SHA512 bf48d9cb3179c4aa1a2d91798c22a58532f31d36194a52c195aa138773e97359e07d82c3679547e299f10a4dc261712a9ee1c8c8e51037c63251dc00d713477b

C:\Windows\RECYCLE.BIN

MD5 cc99b98acccbc375c5b1ff7485d52fb7
SHA1 484dc697d64625b37cc9e53e5108d3b2530dabf4
SHA256 dcb786e381fae3c782fe8059b9b87257bbb04e5f4dbb2ccd73acacce3961ceb7
SHA512 c60da6bfa5a30512c09b105ee51da3c9c44f428c190412550e07e76e1383bc49ae70b84f7b56b6953c9b30c7fa3ba4dbed3efd822c8b9ea07f9662520925e9ba

C:\Windows\RECYCLE.BIN

MD5 b062e828ed7652ffa91ea845d0ef1bf1
SHA1 3c37e9c764f9748002491be2d19154ed812d4d19
SHA256 067e24d6a1ab178976b85e286dd39517799c277a40c1965afc7807714405ff51
SHA512 4703fbb56c0b84cf8002ca653703dae4e2ba0d013703affbbeb5c1260f0b2cf830469b6349765f0de7ccde82e215c2c2b3398e1842976c61516cfa2be3787ba9