Malware Analysis Report

2025-04-14 04:16

Sample ID 240609-jeh8esff6y
Target b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
SHA256 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b

Threat Level: Shows suspicious behavior

The file b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

Executes dropped EXE

Deletes itself

UPX packed file

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\nk.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\WINDOWS\VWFLH\rMX.exe C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe N/A
File opened for modification C:\WINDOWS\VWFLH\rMX.exe C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe N/A
File created \??\c:\windows\rMX.exe.bat C:\WINDOWS\VWFLH\rMX.exe N/A
File created C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe N/A
File opened for modification C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 2988 wrote to memory of 2984 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2984 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2984 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2984 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2520 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2520 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2520 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2520 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 2520 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 2508 wrote to memory of 2700 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2700 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2592 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2700 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2700 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2700 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2700 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe

"C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c echo 0>>c:\windows\nk.txt

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\85.vbs

C:\WINDOWS\VWFLH\rMX.exe.exe

C:\WINDOWS\VWFLH\rMX.exe.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\88.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\85.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\88.vbs"

Network

N/A

Files

C:\Windows\VWFLH\rMX.exe

MD5 dae39904d892c7cfaaa95bfa50a7b976
SHA1 296d813c666e50c1816b7a77546a6ac93b826ceb
SHA256 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
SHA512 83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

memory/2988-13-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

memory/2740-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

\Windows\VWFLH\rMX.exe.exe

MD5 11e1d8159af3475e3b897e0f8f879940
SHA1 6dbf00b501fbd420d8219957c955ecac8af56dcb
SHA256 b0439edfece7ce3be6275b33f3818d9b0e34bed5f078e3dca6fe1825ba683679
SHA512 159d3271bdb8c6e8aa19605ee916431a6af4ec2b0b9ac10b867cb7f3c648923107511775bc5c4208a9709d349c931338cc5dec18f2e829e79a73c7b9dca5d143

C:\85.vbs

MD5 be4bec113d3e78f731a2574ff4bf9f4a
SHA1 2711436d2a607701fc09f12ec43ec845719e94b5
SHA256 f0cea06bd67c122a7b5a3ef431f6e719998b0437a96831a165001c0560a3c00a
SHA512 10948a4d356f59395b4aac5e4f6ce8b5cb5dbd1bf4ea0e4a302628ab0151ab36346ac2c53e80cc1c716f420b8ac93950ae0811f979b6f551c512803c36a183d9

memory/2508-28-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

C:\88.vbs

MD5 f9a1a5c1ab7d3d6d6a21d84d9f7733c0
SHA1 05a29559857825c82c9652b31b94b3cfb458c070
SHA256 a1321e66807fd956e9b9e0ed938a1393f676df717ffbfd74a08d3c632ef1a711
SHA512 5eea6e6ceac56c4b2ac01347b86f41785be0adcc76e4f5d64af5e98133c95c572a7b0a6ed16bf475d54079d6a31f801bd8220cd783dec20cbe0986fb25d685ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A
N/A N/A C:\WINDOWS\VWFLH\rMX.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1488 set thread context of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 set thread context of 4064 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 set thread context of 2196 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\rMX.exe.bat C:\WINDOWS\VWFLH\rMX.exe N/A
File opened for modification \??\c:\windows\nk.txt C:\Windows\SysWOW64\cmd.exe N/A
File created C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe.exe N/A
File created \??\c:\windows\rMX.exe.bat C:\WINDOWS\VWFLH\rMX.exe N/A
File created C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe N/A
File opened for modification C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe N/A
File opened for modification C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe.exe N/A
File created C:\WINDOWS\VWFLH\rMX.exe C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe N/A
File opened for modification C:\WINDOWS\VWFLH\rMX.exe C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\WINDOWS\VWFLH\rMX.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\WINDOWS\VWFLH\rMX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1204 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\WINDOWS\VWFLH\rMX.exe
PID 2268 wrote to memory of 356 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 356 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 356 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3404 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3404 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 3404 N/A C:\WINDOWS\VWFLH\rMX.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 3404 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 3404 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\WINDOWS\VWFLH\rMX.exe.exe
PID 3840 wrote to memory of 1488 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe
PID 3840 wrote to memory of 1488 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe
PID 3840 wrote to memory of 1488 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4660 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4064 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4064 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4064 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 4064 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 2196 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 2196 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 2196 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 1488 wrote to memory of 2196 N/A C:\WINDOWS\VWFLH\rMX.exe C:\WINDOWS\VWFLH\rMX.exe
PID 3840 wrote to memory of 3512 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3512 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3512 N/A C:\WINDOWS\VWFLH\rMX.exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4340 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4340 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3512 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3512 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3512 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe

"C:\Users\Admin\AppData\Local\Temp\b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b.exe"

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c echo 0>>c:\windows\nk.txt

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\13.vbs

C:\WINDOWS\VWFLH\rMX.exe.exe

C:\WINDOWS\VWFLH\rMX.exe.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\WINDOWS\VWFLH\rMX.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\64.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\13.vbs"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4064 -ip 4064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 80

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 80

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\64.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp
US 8.8.8.8:53 mf163.3322.org udp

Files

C:\Windows\VWFLH\rMX.exe

MD5 dae39904d892c7cfaaa95bfa50a7b976
SHA1 296d813c666e50c1816b7a77546a6ac93b826ceb
SHA256 b7b403ed495e91977aac36d4b80c1b60fa0f6cbb3b9ff9c2b357a3b7aa022d2b
SHA512 83a9325bccc04ea9e04b6e5255b888e9f01ceb32b8d524e34f2a5817d54ec3e93787cdfffec840d2b05e5a313fe3bf91636a15af90451a40a83fa788213204f0

memory/1204-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

memory/2268-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

C:\Windows\VWFLH\rMX.exe.exe

MD5 acda0d5dd519bb7600d6d35af3c8b189
SHA1 d103ce109869c19dd037e4348eca6e7dfa3d0b0b
SHA256 f400c75f1d91dadb03ef03d6e2dbe9e71042794aba8e9a8b278c02bb235a260d
SHA512 02b336079436fae2db16780f4d79ade1da9b8b0617a02980f49d34ce200b56efd13525e5f9737ebc4b7c454d48d04b5999f77c68b9b857d8baae9ff056243f03

memory/4660-22-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4660-29-0x0000000010000000-0x000000001002A000-memory.dmp

C:\13.vbs

MD5 4fc553bf0fd7a436b104a162d998a5e1
SHA1 8e034bf7ef81ff8e38941b63e216adc0158617fd
SHA256 8f341f682c7f5f5c237ef717781249ac8db6e59ccffae2de26e2f498af3e61fb
SHA512 b8e597e70198b5a5ef20cb9d1d6e7d6fb2a80a6edcc0ff882ade30de29394aadaf9aaf9ef298b40b5dc988a791e5eb55e8e1628f9ab144f5bff6b673a69287ca

memory/3840-35-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

C:\64.vbs

MD5 1b17358618f4d20e00ba6f2eeb9aab03
SHA1 cca9115ee97eb54bd2a82ea156bbf8ab62a472c9
SHA256 921afc09aa5117b83222e3c17495838aaddad9f2194ffc0b854a17e4743af420
SHA512 a438b0a902232d2c57e7d2144e57117d77a912ff1b826b7c0668fb0225f342ea2696efc9901d1cc050e8580bc6aaaf36ae2bde5b08e931fb7e982543d66c9515

memory/4660-34-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4660-33-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1488-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

memory/4660-20-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4660-21-0x0000000010000000-0x000000001002A000-memory.dmp