Malware Analysis Report

2025-08-10 23:21

Sample ID 241117-kayyrawbpn
Target af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94
SHA256 af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94

Threat Level: Known bad

The file af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:24

Reported

2024-11-17 08:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 448 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 448 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 5060 wrote to memory of 228 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5060 wrote to memory of 228 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5060 wrote to memory of 228 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 228 wrote to memory of 3808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 228 wrote to memory of 3808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 228 wrote to memory of 3808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3808 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3808 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3808 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe

"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/448-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 0feec4d4d59ed37fdd98cdd6ddcbb51b
SHA1 3614a1b9a47da1115a8ba8af02e306c27bfecdb5
SHA256 54cdcff47995bbf7f00a55888ccdb2e7050367247c319fdfb724fb58809766db
SHA512 f9e5910edb48cdd900b3de30b9f80eb560492a2ddb1306d42906bbb990d76bab93e299ec933a6e66e4d9eb7b96bce0a7e02a2ad36e754028911a493aff21a432

C:\Windows\Resources\spoolsv.exe

MD5 f9b1b9d116d4170a864c8b24f03c3859
SHA1 5d149d509b429a620375856d5c26247a9ea0fa4b
SHA256 cda8e4dec587a08ecfc89c0f8ab02febfcbec77ece40fbbe75fa0f964fcca338
SHA512 633800bfde868755d264bbe6f0b396da702ff8ddafa7c172bd1993e8231201d345a32800eb5329d4d92e9bbfd609d05d438d4e839b71d416364ce3e4f95bd4cb

C:\Windows\Resources\svchost.exe

MD5 688c873ec3c8192a5a3bbd189ddcfe25
SHA1 2b95e73333b38f0239298ea3e4fc85ba717456bf
SHA256 4a4373bc4138f91b2967845717a453c3743afe809bdd384a9feb6690bf48c27c
SHA512 5ba4b2e15691d700bf68578acbca5866dd841d76801dd01e0ab42f3d6466105b115ff6b07cfaa5a1c5936a30605cac198c9ed840be2753c62860d88b93ba66c2

memory/2016-32-0x0000000000400000-0x000000000041F000-memory.dmp

memory/228-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/448-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5060-35-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3808-36-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:24

Reported

2024-11-17 08:27

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 1868 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 1868 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 1868 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe \??\c:\windows\resources\themes\explorer.exe
PID 1992 wrote to memory of 2076 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2076 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2076 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2076 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2076 wrote to memory of 2140 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2076 wrote to memory of 2140 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2076 wrote to memory of 2140 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2076 wrote to memory of 2140 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2140 wrote to memory of 2748 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2748 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2748 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2748 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1992 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1992 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2140 wrote to memory of 2828 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2828 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2828 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2828 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 2016 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1188 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1188 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1188 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2140 wrote to memory of 1188 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe

"C:\Users\Admin\AppData\Local\Temp\af9a08fb790c568b6e8ad8357f2fa1febdf9b7267d7720ea2e51576d2bd7ba94.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:26 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:27 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:28 /f

Network

N/A

Files

memory/1868-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 6eea316962b66e53374f20901a805ab1
SHA1 0d7417183dd7296dc84b78c6da765bdeee0f867d
SHA256 ec43e30fe75683cb89c93af8383ddc8b1f5f7f5bc30c8bcde71bc69b41462bf8
SHA512 78d12ecc876695861bf1ac466c81bceeb58b6b2b6cbd35ada9b30f94e4c5dcba83ccba0511b9c4c0e4fc43b4501627d8e161d47e7ecbb94f06b95a81e098dc0c

C:\Windows\Resources\spoolsv.exe

MD5 bbc9de349fca53405c501a1e18b14e72
SHA1 828680086341e04ef301a06c57a7c411fb1f2b70
SHA256 f5c3600ec8eddafbd50dcfab4f231faefd08c714af72e316d92c74c819b8360f
SHA512 2e64e1a7189af73c2d2b166ae5d2a59d626af89d2a1e939ff09674043a1e7e2b091054bedc301547bef458ee010ca116a757cb8206b301191f6e6d79c3308291

\Windows\Resources\svchost.exe

MD5 c70154edb4ee2ae06e036e182c39f310
SHA1 85b0e4da7d16a9475d9f3deb993a3fcacc200526
SHA256 449585f0c8272348a0708621bcf554e371ab15aed5e1974f96d47252c349ac5b
SHA512 7432dabb119b5adf584590974ead186d02fa75641a31139901cdc2db14c7af5224d8746e9f17d5a077e11f27e06ec78bf8042d0de96e943dd9248e21639f9588

memory/2140-35-0x00000000002D0000-0x00000000002EF000-memory.dmp

memory/2748-40-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2076-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1868-42-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1992-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2140-44-0x0000000000400000-0x000000000041F000-memory.dmp