Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-a187asfh35
Target 96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47
SHA256 96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47
Tags
upx evasion execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47

Threat Level: Likely malicious

The file 96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47 was found to be: Likely malicious.

Malicious Activity Summary

upx evasion execution

Stops running service(s)

Deletes itself

UPX packed file

Launches sc.exe

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:41

Reported

2024-06-04 00:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe"

Signatures

Stops running service(s)

evasion execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2984 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2984 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2984 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1612 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1612 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1612 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1612 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2876 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2980 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2980 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2980 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2980 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2548 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2548 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2404 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2404 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2404 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2776 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe

"C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Optimization

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c sc delete Optimization

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\net.exe

net stop Optimization

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\sc.exe

sc delete Optimization

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Optimization

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\104111.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del C:\104111.bat"

Network

N/A

Files

memory/2776-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2776-1-0x0000000000400000-0x0000000000415000-memory.dmp

C:\104111.bat

MD5 234368ffeadc02478fbf7df6b973d8b5
SHA1 545c373379b4790d43ff05e0fd17eac378bda0c1
SHA256 cb0a2dd78076345b80b79c23dfe476c72f66bcedb69d121613d8567a33cd9c95
SHA512 c8f970851ac271948d4234094eba091c444a4cc4c82833a8120644107dc1fecccaa76ccb468633a00729570e8e3a562f3d4c2f0e24820d5be8194724bf9213a2

memory/2776-10-0x0000000000400000-0x0000000000415000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:41

Reported

2024-06-04 00:44

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe"

Signatures

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2852 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2852 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3404 wrote to memory of 1804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1940 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1208 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1208 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1208 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3152 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3152 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3152 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2760 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2760 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe

"C:\Users\Admin\AppData\Local\Temp\96e6098e3c444e7fe6a1150471c94fa6b2b14f15132dab7c1767131187128a47.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop Optimization

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c sc delete Optimization

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\net.exe

net stop Optimization

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop Optimization

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\sc.exe

sc delete Optimization

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Èí¼þС¹Ü¼Ò.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\104111.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del C:\104111.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1748-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1748-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1748-5-0x0000000000400000-0x0000000000415000-memory.dmp

C:\104111.bat

MD5 234368ffeadc02478fbf7df6b973d8b5
SHA1 545c373379b4790d43ff05e0fd17eac378bda0c1
SHA256 cb0a2dd78076345b80b79c23dfe476c72f66bcedb69d121613d8567a33cd9c95
SHA512 c8f970851ac271948d4234094eba091c444a4cc4c82833a8120644107dc1fecccaa76ccb468633a00729570e8e3a562f3d4c2f0e24820d5be8194724bf9213a2