Malware Analysis Report

2024-11-30 13:28

Sample ID 241122-q42vdsxpdq
Target ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.exe
SHA256 ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf
Tags
qakbot tr 1634541613 banker discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf

Threat Level: Known bad

The file ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.exe was found to be: Known bad.

Malicious Activity Summary

qakbot tr 1634541613 banker discovery evasion stealer trojan

Qakbot family

Qakbot/Qbot

Windows security bypass

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 13:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 13:49

Reported

2024-11-22 13:51

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Zlphxl = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Kqitlq = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\19ec6470 = b9eb59336bc9174abbe9ef931cb5dc5e0e1272b66ab3dc53f3a478e0e6ffbfb765063780e0b5bf13e0d886ae6bbbb976262f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\2c73b43e = 6a427018f1e40c8dec00aa9597956234688b7bbc80234b646b9f71bf4dffdff2460d00b1abb95270650e08a91d608f896fca7be999ab37b1638859f230e6642dfaa23ce2aa25d6b9a765f73021de9d5e64636a8f43a41e3eb262d97bf0cd378368c4f528ac271d97877de3d821e916e5c9c5e4909f14c40cbf42e7e0756cb1fbdd284f3a4a422b01659d45fb5cfda6a79509b0047b3926f4a1c701c3a939f683 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\533adbc8 = ef111254998871b83da05aca4a6cce033fac0a21c09d8b31ffa76a3f9e8b3a6f0550d015f38ca75aa7bc1b56c6dd199195c36b223b47fb65e3ce26a53d50 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\94cfd35b = 68ac269afa050e2a4504ce674c7d4ac2b593aa975872bbabe6f3536ce3c3236cb3a2aac3df380134b6ff303b3e37e47656c21117cf3d0695a97fd3a5de37b3fa367263630a9418f3eb6a351731783c C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\2e329442 = 264eb310f9c479a9822b8092987a092ece61 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\968ef327 = 5511134a72295d3660ad77484cdc70ab3d9352544d5cd0d42b426d22393dbb C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\eb86bcad = 1939c3c0c962b59629ec3ee7737771c4353091afe532c028fa1bf8f9b3c1087f8d8303a045 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\66a50b86 = c11d74d6798c99cebade937b3aead329832931d2326b51f9008ea1f23a8f616b07e0de1b8233c6987f838a1e5c965589a3142fe20f46d59defd0c7717112b8ad4634e3 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Oayeoxhkqoarp\19ec6470 = b9eb4e336bc922b999bf1659d4b55572cf5726056b26daae9f179060097b4e2a5392479b3feccdd765d4c7744c2f940b901316f87742351e22519c5c6e34cba8d91a814becbb82 C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 4804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 4804 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4804 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4804 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4804 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 4804 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 744 wrote to memory of 4208 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 4208 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 4208 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 640 wrote to memory of 3108 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 640 wrote to memory of 3108 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 640 wrote to memory of 3108 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3108 wrote to memory of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3108 wrote to memory of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 548 wrote to memory of 4624 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 548 wrote to memory of 4624 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 548 wrote to memory of 2348 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 548 wrote to memory of 2348 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vphgozbh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll\"" /SC ONCE /Z /ST 13:51 /ET 14:03

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zlphxl" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Kqitlq" /d "0"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.146.100.95.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.146.100.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4804-1-0x0000000075460000-0x0000000075466000-memory.dmp

memory/4804-0-0x00000000752D0000-0x000000007547B000-memory.dmp

memory/4804-2-0x00000000752D0000-0x000000007547B000-memory.dmp

memory/4804-4-0x00000000752D0000-0x000000007547B000-memory.dmp

memory/4804-5-0x00000000752D0000-0x000000007547B000-memory.dmp

memory/744-6-0x0000000000CE0000-0x0000000000D01000-memory.dmp

memory/744-10-0x0000000000CE0000-0x0000000000D01000-memory.dmp

memory/744-12-0x0000000000CE0000-0x0000000000D01000-memory.dmp

memory/744-11-0x0000000000CE0000-0x0000000000D01000-memory.dmp

memory/744-14-0x0000000000CE0000-0x0000000000D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll

MD5 6ed47a0963d414bd3e945dad0d45ecb6
SHA1 4c229de8ee285cf6f1fca195036532550e30c624
SHA256 ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf
SHA512 fae4f2d72e4595ce828313617960fed144897e623bef519ef7f785a7ae06b47e0fa8d1ca2223c4fa9bb7ccea2b791dcb760cd430ba2149f54018ac8b8843f806

memory/3108-18-0x0000000073B30000-0x0000000073CDB000-memory.dmp

memory/3108-19-0x0000000073B30000-0x0000000073CDB000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3108-22-0x0000000073B30000-0x0000000073CDB000-memory.dmp

memory/548-24-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/548-25-0x00000000004B0000-0x00000000004D1000-memory.dmp

memory/548-26-0x00000000004B0000-0x00000000004D1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 13:49

Reported

2024-11-22 13:51

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Zbecg = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ydpnrodvu = "0" C:\Windows\system32\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\fe8ecd92 = 7c26cd29d666860f25408787441dc2972cc5c271ce3828288dacac296daf5caa6156114107ae6a6914596e5bf002c07a00d8b51b4a C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\fe8ecd92 = 7c26da29d666b3bd8635a186d9e25eded2f0bed5ae389a87add2da50e4c94a24 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\cb111ddc = 986391fee6fef2f2b4e281f971509da55f8b0b7d73bca9830deaa328f1ec53f237a19304a6d1d5a7cf8d116c5375302de7601928ce977c429cf65a17e66f53cd06f0b18e918a36b6cc3a8a8a60326aa59bee7017f35d26cef819a17a80aa0b74adada292fb2ecf524b9610280958cd15cb5723e74658f9e3a79388a9b991df74425df20b0a482c965bf0830aba93db059cb6fb3239b508e6e1703386cf2f2d5b88eb92b6971b39f8f331c52e5b7ad5fc3c73c56bb6292f C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\c9503da0 = b04921f3d185ced8c112cf2446855b4f0cae31 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\71ec5ac5 = 2781e5448a5ce7de8edee4ba0c88ba414b1d94a792304b6934f9ccd04eedb5e42c43f96a33fb8cdee66f2bb13ca2bc8ae43eb8ee0d2c9799100714455d5187a00bf44c25f1 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\ce4154f = c9b984ff7af91bd9b3a81e68f391b650162e6db3fc060d0b050d16abc2c6b728c7acb15e64aad4d27ef810b3caa62bd3571997537e946f7227c8d4be7a8bd10d3db4cfb19509e46315809ed435751f5b65d8 C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\b458722a = c91cbb8a2261b6b9871d7bf81a795cc538806a8686287ace9ff4acbdaab5886b2ab217fc63f6ac482e02e69c733f72fac10f496a13d5a54cf15ed21be277e5be351f84541d7f9e1b3cf084c7cbb6e288bc770d85f501b1242b72d138864667a79391ea457e809be2a03704042e C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\73ad7ab9 = d97dfac5ce3441b53f9fd77574306664df1082440b095664445bbb98faff64d575e32fa8be4c429358dd7ce75934ef0d2665f3 C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Xwtnxipavatr C:\Windows\SysWOW64\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Xwtnxipavatr\81c7a264 = 1847b82ebc682b88e9bc3f5ac191c494d97fb1d2f1fb55802be999df85a1ea9a14c38da0925ef734ed2115575fef2c6c C:\Windows\SysWOW64\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 1528 wrote to memory of 828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2132 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2872 wrote to memory of 2132 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2872 wrote to memory of 2132 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2872 wrote to memory of 2132 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2872 wrote to memory of 2132 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2980 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2980 wrote to memory of 2868 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 2868 wrote to memory of 2976 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2976 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2976 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2976 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe
PID 2868 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cjpksvzp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll\"" /SC ONCE /Z /ST 13:51 /ET 14:03

C:\Windows\system32\taskeng.exe

taskeng.exe {64AA58DE-7159-46C1-A409-270AF0D43FDD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ydpnrodvu" /d "0"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zbecg" /d "0"

Network

N/A

Files

memory/1528-0-0x0000000074C80000-0x0000000074E2B000-memory.dmp

memory/1528-1-0x0000000074C80000-0x0000000074E2B000-memory.dmp

memory/1528-4-0x0000000074C80000-0x0000000074E2B000-memory.dmp

memory/1528-3-0x0000000074E10000-0x0000000074E16000-memory.dmp

memory/828-5-0x0000000000080000-0x0000000000082000-memory.dmp

memory/828-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/1528-9-0x0000000074C80000-0x0000000074E2B000-memory.dmp

memory/828-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/828-14-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/828-13-0x00000000000D0000-0x00000000000F1000-memory.dmp

memory/828-16-0x00000000000D0000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf.dll

MD5 6ed47a0963d414bd3e945dad0d45ecb6
SHA1 4c229de8ee285cf6f1fca195036532550e30c624
SHA256 ce10f800a32cf0a28d11ce752614b3f51fb9415de231f5dd08cbcb704de57bbf
SHA512 fae4f2d72e4595ce828313617960fed144897e623bef519ef7f785a7ae06b47e0fa8d1ca2223c4fa9bb7ccea2b791dcb760cd430ba2149f54018ac8b8843f806

memory/2980-22-0x00000000743E0000-0x000000007458B000-memory.dmp

memory/2980-21-0x00000000743E0000-0x000000007458B000-memory.dmp

memory/2980-25-0x00000000743E0000-0x000000007458B000-memory.dmp

memory/2868-27-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2868-28-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2868-29-0x0000000000080000-0x00000000000A1000-memory.dmp