Malware Analysis Report

2024-09-23 10:36

Sample ID 240614-xt26qswfpp
Target 179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5
SHA256 179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5
Tags
bootkit persistence spyware stealer upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5

Threat Level: Likely malicious

The file 179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer upx

UPX dump on OEP (original entry point)

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:09

Reported

2024-06-14 19:12

Platform

win7-20240611-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\scnjd\\tugmtym.umt\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2432 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2432 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2432 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2432 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fxmuh.exe
PID 2432 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fxmuh.exe
PID 2432 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fxmuh.exe
PID 2432 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fxmuh.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fxmuh.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2612 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2760 wrote to memory of 2612 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2760 wrote to memory of 2612 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2760 wrote to memory of 2612 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe

"C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fxmuh.exe "C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\fxmuh.exe

C:\Users\Admin\AppData\Local\Temp\\fxmuh.exe "C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\scnjd\tugmtym.umt",crc32 C:\Users\Admin\AppData\Local\Temp\fxmuh.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 98.126.15.172:803 tcp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/2300-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2300-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2300-3-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\fxmuh.exe

MD5 daaac28275da991faa00500352b1661f
SHA1 00329bcf1954ef268085b58b2acfb50defb70463
SHA256 ed17347caa12ee55e804bf64db1f2e5e2aecd5d7a296fa1785856d0eb630537c
SHA512 6afb4ea09f20a406d236e985502d17603834ca1353016854f3440596d1b4bf2075c9a124ab19bcbad818e8484a05071cda853072f95a686f72e6c7b4558e672b

memory/2432-9-0x0000000000110000-0x0000000000138000-memory.dmp

memory/2632-10-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2432-8-0x0000000000110000-0x0000000000138000-memory.dmp

memory/2632-11-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2632-13-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\scnjd\tugmtym.umt

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2760-16-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2760-17-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2760-21-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2760-22-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2760-23-0x0000000010000000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:09

Reported

2024-06-14 19:12

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ejwlt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ejwlt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\kutdt\\zpwixk.piz\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5116 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5116 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5116 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ejwlt.exe
PID 5116 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ejwlt.exe
PID 5116 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ejwlt.exe
PID 3672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ejwlt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ejwlt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ejwlt.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1416 wrote to memory of 4584 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 1416 wrote to memory of 4584 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 1416 wrote to memory of 4584 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe

"C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ejwlt.exe "C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ejwlt.exe

C:\Users\Admin\AppData\Local\Temp\\ejwlt.exe "C:\Users\Admin\AppData\Local\Temp\179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\kutdt\zpwixk.piz",crc32 C:\Users\Admin\AppData\Local\Temp\ejwlt.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/5008-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/5008-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5008-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ejwlt.exe

MD5 87e1ba580c21bc2fef226e2dadddb8e5
SHA1 7b172d4a929376036d3373d7ef0f2fc91694f264
SHA256 890c6aac0c85558893f28736ac798ee41aef676550746b5ad53a76037ca6940e
SHA512 05dfd3817758db8aa0ce97fedd69563dd2f8659cf3f187ae7dfec963f015bb8caf703a7422ac967bfd0013441720331a6b88170b60c4136fed04df73d17362a9

memory/3672-7-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/3672-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\kutdt\zpwixk.piz

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/1416-12-0x0000000010000000-0x0000000010022000-memory.dmp

memory/1416-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/1416-15-0x0000000010000000-0x0000000010022000-memory.dmp

memory/1416-17-0x0000000010000000-0x0000000010022000-memory.dmp