Malware Analysis Report

2024-10-19 01:51

Sample ID 240901-lltzlsxbrj
Target c4c9428ea6a30325f8ac6a3fecc199a1.zip
SHA256 65355c0a686d8ba5f7551152571545331d64fe207a4f6c44ae67b240f3cbb19c
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65355c0a686d8ba5f7551152571545331d64fe207a4f6c44ae67b240f3cbb19c

Threat Level: Known bad

The file c4c9428ea6a30325f8ac6a3fecc199a1.zip was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Windows security bypass

Tofsee

Creates new service(s)

Modifies Windows Firewall

Sets service image path in registry

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 09:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 09:37

Reported

2024-09-01 09:40

Platform

win7-20240704-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\liurvify = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\liurvify\ImagePath = "C:\\Windows\\SysWOW64\\liurvify\\eyualvnt.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2800 set thread context of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\liurvify\eyualvnt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 2308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 2308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 2308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 2308 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe
PID 2800 wrote to memory of 2772 N/A C:\Windows\SysWOW64\liurvify\eyualvnt.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe

"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\liurvify\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eyualvnt.exe" C:\Windows\SysWOW64\liurvify\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create liurvify binPath= "C:\Windows\SysWOW64\liurvify\eyualvnt.exe /d\"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description liurvify "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start liurvify

C:\Windows\SysWOW64\liurvify\eyualvnt.exe

C:\Windows\SysWOW64\liurvify\eyualvnt.exe /d"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.236.44.162:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.194.17:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.77:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.145.26:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp

Files

memory/2308-2-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2308-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/2308-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eyualvnt.exe

MD5 ee75ff3cbb690d3302cfdaf6214064bf
SHA1 ed64ad3cb48625b7613e48984ec73f30a1c2ecce
SHA256 9a505303db0bb9f469f8857393e4e4d4edb38c8704c06457efe9c4b8c1b99644
SHA512 58973796d4497eb25cce57ef9a61ecfe102789c0cf2e92ba5be6a4c3464028493ebd2b1e1ded34762000993984c109d51ca516ad7d28d6e4c5e372c7802f60d0

memory/2308-8-0x0000000000400000-0x0000000000871000-memory.dmp

memory/2308-9-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2308-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2772-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2772-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2772-16-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2800-17-0x0000000000400000-0x0000000000871000-memory.dmp

memory/2772-18-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 09:37

Reported

2024-09-01 09:40

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tsyhuvpk\ImagePath = "C:\\Windows\\SysWOW64\\tsyhuvpk\\dpwqvbow.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4228 set thread context of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\sc.exe
PID 1768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 1768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 1768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe C:\Windows\SysWOW64\netsh.exe
PID 4228 wrote to memory of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe
PID 4228 wrote to memory of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe
PID 4228 wrote to memory of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe
PID 4228 wrote to memory of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe
PID 4228 wrote to memory of 4532 N/A C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe

"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tsyhuvpk\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dpwqvbow.exe" C:\Windows\SysWOW64\tsyhuvpk\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create tsyhuvpk binPath= "C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe /d\"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description tsyhuvpk "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start tsyhuvpk

C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe

C:\Windows\SysWOW64\tsyhuvpk\dpwqvbow.exe /d"C:\Users\Admin\AppData\Local\Temp\4fb9ec0883d7b509a16d73e2181f5236d13042706cb8bbe82091f8a9db4575d1.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 888

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
AU 20.70.246.20:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.8.49:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 20.246.70.20.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.91:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.145.27:25 smtp.google.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp

Files

memory/1768-1-0x00007FFA3CED0000-0x00007FFA3D0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dpwqvbow.exe

MD5 3bf6f34578f196937640e2b3dd913a49
SHA1 1c418f747ac30a525653eb354cfd33c53a467f5c
SHA256 ede636ab4f977b4f746690abc5a03ae41b729fca5effcaf7d629aac1d69843a6
SHA512 f4c4415984a9ce25dd2dc4b4242808941520bc45bf6bd39f744b1c270e36480f4b4f168d2f499c15a791bf948b4427a6c22fedc3eaaaeef581d5da276ba6b208

memory/1768-6-0x0000000000400000-0x0000000000871000-memory.dmp

memory/1768-7-0x00007FFA3CED0000-0x00007FFA3D0C5000-memory.dmp

memory/4228-8-0x00007FFA3CED0000-0x00007FFA3D0C5000-memory.dmp

memory/4532-9-0x0000000000B20000-0x0000000000B35000-memory.dmp

memory/4532-11-0x0000000000B20000-0x0000000000B35000-memory.dmp

memory/4532-12-0x0000000000B20000-0x0000000000B35000-memory.dmp

memory/4228-13-0x0000000000400000-0x0000000000871000-memory.dmp