Malware Analysis Report

2024-10-23 16:25

Sample ID 240903-l5f7vsvdpc
Target d3bba24a43c02f7e90c13981e0fba6551e414159ab5a8f066cf44803177a5cce
SHA256 d3bba24a43c02f7e90c13981e0fba6551e414159ab5a8f066cf44803177a5cce
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3bba24a43c02f7e90c13981e0fba6551e414159ab5a8f066cf44803177a5cce

Threat Level: Known bad

The file d3bba24a43c02f7e90c13981e0fba6551e414159ab5a8f066cf44803177a5cce was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Tofsee

Windows security bypass

Sets service image path in registry

Creates new service(s)

Modifies Windows Firewall

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-03 10:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-03 10:06

Reported

2024-09-03 10:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\lyexruhd = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lyexruhd\ImagePath = "C:\\Windows\\SysWOW64\\lyexruhd\\fkgywzl.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2920 set thread context of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 1620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 1620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 1620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 1620 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe
PID 2920 wrote to memory of 2712 N/A C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe

"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lyexruhd\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fkgywzl.exe" C:\Windows\SysWOW64\lyexruhd\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create lyexruhd binPath= "C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description lyexruhd "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start lyexruhd

C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe

C:\Windows\SysWOW64\lyexruhd\fkgywzl.exe /d"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
AU 20.70.246.20:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.10.2:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.72:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
IE 209.85.203.27:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp

Files

memory/1620-2-0x0000000000020000-0x0000000000033000-memory.dmp

memory/1620-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/1620-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fkgywzl.exe

MD5 6d2926bc8ebe654bd683ed58eeef33b4
SHA1 382a42f59dcb976d135a8ab3c9d85e105707a74f
SHA256 d5f60fb05126cd62f7e8d2a6a5dc0582b6aa723f0ff65810c9838812032ebfcf
SHA512 f594a484eec857b942db098592e6785f12dfbac45fc81dc6e3e82c5c3a6dff6ddd824fb47de638240ec911761527743fe93d432c66054ec30155c10b5e6f7e4d

memory/1620-7-0x0000000000400000-0x000000000086B000-memory.dmp

memory/1620-9-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1620-8-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2712-11-0x0000000000110000-0x0000000000125000-memory.dmp

memory/2712-14-0x0000000000110000-0x0000000000125000-memory.dmp

memory/2712-16-0x0000000000110000-0x0000000000125000-memory.dmp

memory/2712-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2712-18-0x0000000000110000-0x0000000000125000-memory.dmp

memory/2920-17-0x0000000000400000-0x000000000086B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-03 10:06

Reported

2024-09-03 10:09

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ybexaaft\ImagePath = "C:\\Windows\\SysWOW64\\ybexaaft\\pnxvvluk.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\sc.exe
PID 3384 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 3384 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 3384 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe C:\Windows\SysWOW64\netsh.exe
PID 632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe
PID 632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe
PID 632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe
PID 632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe
PID 632 wrote to memory of 1844 N/A C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe

"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ybexaaft\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pnxvvluk.exe" C:\Windows\SysWOW64\ybexaaft\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create ybexaaft binPath= "C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe /d\"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description ybexaaft "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start ybexaaft

C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe

C:\Windows\SysWOW64\ybexaaft\pnxvvluk.exe /d"C:\Users\Admin\AppData\Local\Temp\78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 596

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 632 -ip 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 536

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.236.44.162:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 162.44.236.20.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.72:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
IE 172.253.116.26:25 smtp.google.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp

Files

memory/3384-1-0x0000000000A80000-0x0000000000B80000-memory.dmp

memory/3384-2-0x00000000009C0000-0x00000000009D3000-memory.dmp

memory/3384-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pnxvvluk.exe

MD5 6e0f0e792b3bbf974fbf995eb5839531
SHA1 e3c073e378c9c4622af0e7c5e0fc920ca5595879
SHA256 9d747944c0164ae7d7be3505b69131934abe1cd11a56fb9d52a170e54abcbf07
SHA512 80f30a064803618fb749424e6731f68ddea3431544aac9a3b9886b6598f4ea22013b02b1b343768b533a5138733a616f57004a91fa32f1736d86a2003cd5c953

memory/3384-8-0x0000000000400000-0x000000000086B000-memory.dmp

memory/3384-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3384-9-0x00000000009C0000-0x00000000009D3000-memory.dmp

memory/632-11-0x0000000000400000-0x000000000086B000-memory.dmp

memory/1844-12-0x00000000009B0000-0x00000000009C5000-memory.dmp

memory/632-15-0x0000000000400000-0x000000000086B000-memory.dmp

memory/1844-14-0x00000000009B0000-0x00000000009C5000-memory.dmp

memory/1844-16-0x00000000009B0000-0x00000000009C5000-memory.dmp

memory/632-18-0x0000000000400000-0x000000000086B000-memory.dmp