Malware Analysis Report

2024-10-23 16:27

Sample ID 240903-q247qszbmb
Target 20240903ac20eaa882bf941cebe29670759c588emafia
SHA256 ca525fe8bf95a32af296ac08e7a99b76bb7e06cb55e40d66ebff0228c9cb2186
Tags
tofsee discovery evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca525fe8bf95a32af296ac08e7a99b76bb7e06cb55e40d66ebff0228c9cb2186

Threat Level: Known bad

The file 20240903ac20eaa882bf941cebe29670759c588emafia was found to be: Known bad.

Malicious Activity Summary

tofsee discovery evasion execution persistence privilege_escalation trojan

Windows security bypass

Tofsee

Sets service image path in registry

Creates new service(s)

Modifies Windows Firewall

Executes dropped EXE

Deletes itself

Checks computer location settings

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-03 13:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-03 13:46

Reported

2024-09-03 13:48

Platform

win7-20240903-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mmpusdud = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mmpusdud\ImagePath = "C:\\Windows\\SysWOW64\\mmpusdud\\aqwpqyox.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2100 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 1312 N/A C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe C:\Windows\SysWOW64\svchost.exe
PID 2100 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe

"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mmpusdud\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aqwpqyox.exe" C:\Windows\SysWOW64\mmpusdud\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create mmpusdud binPath= "C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe /d\"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description mmpusdud "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start mmpusdud

C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe

C:\Windows\SysWOW64\mmpusdud\aqwpqyox.exe /d"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
AU 20.70.246.20:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.40.26:25 microsoft-com.mail.protection.outlook.com tcp
AU 43.231.4.7:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.73:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.27.26:25 smtp.google.com tcp
AU 43.231.4.7:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
AU 43.231.4.7:443 tcp

Files

memory/2100-1-0x0000000000620000-0x0000000000720000-memory.dmp

memory/2100-2-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aqwpqyox.exe

MD5 0656f25c9d0bc4e83492b61d6abf1e6f
SHA1 e5572890b9db2baf16b333fc270e3def1047450b
SHA256 ed19a444d08bf7caa0fa09dcd10969a384d76f4b873e0b075a1c0ab5218b3f3f
SHA512 7f35878e34742c925ef0a33bf61a1ca11e4634089b94dc749879bc82e0243833a5de7979a0f1edb3b4b5b8d33d96ae03927b7a6ad1294ab62d05990ddf583728

memory/1312-7-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1312-10-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1312-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2836-11-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2100-14-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2100-13-0x0000000000400000-0x000000000051A000-memory.dmp

memory/1312-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1312-16-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-03 13:46

Reported

2024-09-03 13:48

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence execution

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xyhehxks\ImagePath = "C:\\Windows\\SysWOW64\\xyhehxks\\gphgpbfw.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4068 set thread context of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\sc.exe
PID 4948 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 4948 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 4948 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe C:\Windows\SysWOW64\netsh.exe
PID 4068 wrote to memory of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4068 wrote to memory of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4068 wrote to memory of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4068 wrote to memory of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe
PID 4068 wrote to memory of 2568 N/A C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe

"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xyhehxks\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gphgpbfw.exe" C:\Windows\SysWOW64\xyhehxks\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create xyhehxks binPath= "C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe /d\"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description xyhehxks "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start xyhehxks

C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe

C:\Windows\SysWOW64\xyhehxks\gphgpbfw.exe /d"C:\Users\Admin\AppData\Local\Temp\20240903ac20eaa882bf941cebe29670759c588emafia.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.231.239.246:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 246.239.231.20.in-addr.arpa udp
AU 43.231.4.7:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.228.110:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 142.250.102.27:25 smtp.google.com tcp
AU 43.231.4.7:443 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
AU 43.231.4.7:443 tcp

Files

memory/4948-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/4948-2-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gphgpbfw.exe

MD5 5437c845f91da8244a55e9d1393a78c1
SHA1 40bbb7266ec225bf313c40b250c375f4725b2f2d
SHA256 d928fbc9fb8b0c8dd388c5584c31007dc2e6699214bf734150558eacafe603b8
SHA512 ed02f02ce96bff43dfb13d75d51a85b6edbc1f2ca5e5b22c086d782a4d24f9a6aeecd0f7876339bc9cf228430fda33928b7586e68a715700b291eab8e606396b

memory/4948-7-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4948-6-0x0000000000400000-0x000000000051A000-memory.dmp

memory/4068-9-0x0000000000400000-0x000000000051A000-memory.dmp

memory/4068-10-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2568-11-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

memory/2568-13-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

memory/4068-15-0x0000000000400000-0x000000000051A000-memory.dmp

memory/2568-16-0x0000000000FC0000-0x0000000000FD5000-memory.dmp