Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-fq2blaea8x
Target f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25
SHA256 f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25
Tags
bootkit persistence spyware stealer upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25

Threat Level: Likely malicious

The file f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer upx

Detects executables containing base64 encoded User Agent

UPX dump on OEP (original entry point)

Blocklisted process makes network request

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Unsigned PE

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 05:05

Reported

2024-06-04 05:07

Platform

win7-20240220-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dojnmoq\\vcspu.cpv\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2960 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2960 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2960 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2960 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xkafymb.exe
PID 2960 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xkafymb.exe
PID 2960 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xkafymb.exe
PID 2960 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xkafymb.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\xkafymb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 2632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2612 wrote to memory of 2632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe

"C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\xkafymb.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\xkafymb.exe

C:\Users\Admin\AppData\Local\Temp\\xkafymb.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\dojnmoq\vcspu.cpv",crc32 C:\Users\Admin\AppData\Local\Temp\xkafymb.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 98.126.15.172:803 tcp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/3068-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3068-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/3068-3-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\xkafymb.exe

MD5 072a3b6e95d6ed6afebe2b0e45b9c95b
SHA1 8640c1ce5eec8dbf8b581471491840d8972dff3d
SHA256 44bac8a78bcf67f7962676400107e8fc8256f8adae76d5de3b51c618eb8656a4
SHA512 def2d6b035bbe90f2b827aa80df7b077b517eeb32a820ebc3cc03f38b3cfa14b5131617d61a97afef5220ad16319a2ddc75379ac76f0434afc600fc6068f32e8

memory/2568-10-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2960-9-0x0000000000130000-0x0000000000158000-memory.dmp

memory/2960-8-0x0000000000130000-0x0000000000158000-memory.dmp

memory/2568-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2568-13-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\dojnmoq\vcspu.cpv

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2612-16-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2612-17-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2612-21-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2612-22-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2612-23-0x0000000010000000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 05:05

Reported

2024-06-04 05:07

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xdgdt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xdgdt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\kkwtv\\etrpd.tpe\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4280 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4704 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4704 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4704 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xdgdt.exe
PID 4704 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xdgdt.exe
PID 4704 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\xdgdt.exe
PID 4880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\xdgdt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\xdgdt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\xdgdt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 3956 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2256 wrote to memory of 3956 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2256 wrote to memory of 3956 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe

"C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\xdgdt.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\xdgdt.exe

C:\Users\Admin\AppData\Local\Temp\\xdgdt.exe "C:\Users\Admin\AppData\Local\Temp\f3db56acaed371af569d8daed72073f434ec1b63f4d65fb10dc015210ee65f25.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\kkwtv\etrpd.tpe",crc32 C:\Users\Admin\AppData\Local\Temp\xdgdt.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 98.126.15.172:803 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/4280-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4280-1-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/4280-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xdgdt.exe

MD5 87fbb5fef345b0baaada6d209db2f8fe
SHA1 7c52c47798cc6c353df2abe1494202cdbfe8e6e0
SHA256 f9b118cbcb83bf37c0fef1717928d923268eb19a0bcc045adb1e2ec5912f8051
SHA512 a3ae1774b6e017fbe41141f14714cbedad7cebe9f662dbc41f93c012638940e6dc95e4605f440a90327604acf753cde887418a71313a415dee87da47000d423d

memory/4880-7-0x00000000020E0000-0x0000000002112000-memory.dmp

memory/4880-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\kkwtv\etrpd.tpe

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2256-12-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2256-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2256-15-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2256-17-0x0000000010000000-0x0000000010022000-memory.dmp