Malware Analysis Report

2024-10-19 01:51

Sample ID 240901-a9yrxsvhjj
Target 026f086162e7d6d864ca4dc744149bc0.zip
SHA256 0479dd4c50da096ebc1143c05d2f1880ffa2138686430736f078c59c46252e0d
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0479dd4c50da096ebc1143c05d2f1880ffa2138686430736f078c59c46252e0d

Threat Level: Known bad

The file 026f086162e7d6d864ca4dc744149bc0.zip was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Tofsee

Windows security bypass

Creates new service(s)

Sets service image path in registry

Modifies Windows Firewall

Deletes itself

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 00:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 00:55

Reported

2024-09-01 00:57

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sydkqqrh\ImagePath = "C:\\Windows\\SysWOW64\\sydkqqrh\\gicrnjfw.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4548 set thread context of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 4964 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 4964 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 4964 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 4548 wrote to memory of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4548 wrote to memory of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4548 wrote to memory of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4548 wrote to memory of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4548 wrote to memory of 2620 N/A C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe

"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sydkqqrh\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gicrnjfw.exe" C:\Windows\SysWOW64\sydkqqrh\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create sydkqqrh binPath= "C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description sydkqqrh "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start sydkqqrh

C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe

C:\Windows\SysWOW64\sydkqqrh\gicrnjfw.exe /d"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1164

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.231.239.246:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 246.239.231.20.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.79:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 108.177.96.27:25 smtp.google.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 quadoil.ru udp

Files

memory/4964-1-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/4964-2-0x0000000002390000-0x00000000023A3000-memory.dmp

memory/4964-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gicrnjfw.exe

MD5 9f94fd80627fdd6689a20515aca2c313
SHA1 eda48e71420da39d4765526d768c41dba3168fa3
SHA256 dce3ee8443810b2548109d38e9cdcd48e1c8326a3c3fc2cebaf4cb8f0302458c
SHA512 36270a09dfc54eab93395c2a9cb2002ca2c3abf7f3d64054101c7bd7ce314b82ce3f9650e80a3108f1716c9564784fb54a7c9e5387ce184b6279e37f0c867e4f

memory/4964-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4964-9-0x0000000002390000-0x00000000023A3000-memory.dmp

memory/4964-8-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4548-11-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2620-12-0x0000000000F60000-0x0000000000F75000-memory.dmp

memory/2620-14-0x0000000000F60000-0x0000000000F75000-memory.dmp

memory/2620-15-0x0000000000F60000-0x0000000000F75000-memory.dmp

memory/4548-17-0x0000000000400000-0x0000000000785000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 00:55

Reported

2024-09-01 00:58

Platform

win7-20240705-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tfuzmimm = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tfuzmimm\ImagePath = "C:\\Windows\\SysWOW64\\tfuzmimm\\ydndrw.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2880 set thread context of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\sc.exe
PID 2488 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 2488 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 2488 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 2488 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2392 N/A C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe

"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tfuzmimm\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ydndrw.exe" C:\Windows\SysWOW64\tfuzmimm\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create tfuzmimm binPath= "C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe /d\"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description tfuzmimm "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start tfuzmimm

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe

C:\Windows\SysWOW64\tfuzmimm\ydndrw.exe /d"C:\Users\Admin\AppData\Local\Temp\3ef291e4dc9f5a6e42ae653acae1e014e90bf658c4160f6e8de7f2e4b0538460.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
NL 20.76.201.171:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 quadoil.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.228.111:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 lakeflex.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 173.194.69.27:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp

Files

memory/2488-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2488-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2488-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ydndrw.exe

MD5 70924a5c4a0caf25c918a3248c6c15d8
SHA1 4eec4da1eafc6ecf7c7371f6152dc1e504a6bedd
SHA256 82fa33db40bc2755ef020ae6615202a50ee06488f8096a8d493274b535914a65
SHA512 e8bc82c1a20113ecdee0c32cee1554af55bb4f7246b192a767102dc9c114a95c9649f27910e89b2ff17619ae6e4322155d8a789c8edbe3f969907232441fae1f

memory/2488-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2488-7-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2488-6-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2392-14-0x00000000000C0000-0x00000000000D5000-memory.dmp

memory/2392-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2392-11-0x00000000000C0000-0x00000000000D5000-memory.dmp

memory/2392-16-0x00000000000C0000-0x00000000000D5000-memory.dmp

memory/2880-17-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2392-18-0x00000000000C0000-0x00000000000D5000-memory.dmp