Malware Analysis Report

2025-08-11 07:36

Sample ID 241015-1scfgaygpg
Target 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N
SHA256 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43
Tags
bootkit discovery persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43

Threat Level: Likely malicious

The file 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer upx

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

UPX packed file

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 21:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 21:54

Reported

2024-10-15 21:56

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jkbee.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jkbee.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\cmriy\\jgeot.goj\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jkbee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4872 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4872 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4872 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jkbee.exe
PID 4872 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jkbee.exe
PID 4872 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jkbee.exe
PID 2756 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\jkbee.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\jkbee.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\jkbee.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 376 wrote to memory of 2428 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 376 wrote to memory of 2428 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 376 wrote to memory of 2428 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe

"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jkbee.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\jkbee.exe

C:\Users\Admin\AppData\Local\Temp\\jkbee.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\cmriy\jgeot.goj",crc32 C:\Users\Admin\AppData\Local\Temp\jkbee.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 98.126.15.170:3201 tcp

Files

memory/936-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/936-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/936-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jkbee.exe

MD5 5e72d75e134b5085ca640e9b41760cc4
SHA1 9a373391bca00c76e00fdc79b5d8dd00dbc918ec
SHA256 2da3ff23993c83ce280a8d2410e431a659a55c8b2eb89a1c30269ef94f90929d
SHA512 51e774212a85c22c5143ae9dea9beb7559408928ec364404ce1bb06a94e38b08e999c93497267b29dd958009aea18f3110a6ed1c7a2a437930295b061d847151

memory/2756-7-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2756-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\cmriy\jgeot.goj

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/376-12-0x0000000010000000-0x0000000010022000-memory.dmp

memory/376-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/376-15-0x0000000010000000-0x0000000010022000-memory.dmp

memory/376-16-0x0000000010000000-0x0000000010022000-memory.dmp

memory/376-17-0x0000000010000000-0x0000000010022000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 21:54

Reported

2024-10-15 21:56

Platform

win7-20241010-en

Max time kernel

113s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\erwrb\\vbhtkml.btv\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cewks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cewks.exe
PID 2616 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cewks.exe
PID 2616 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cewks.exe
PID 2616 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\cewks.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cewks.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2896 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2948 wrote to memory of 2896 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2948 wrote to memory of 2896 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2948 wrote to memory of 2896 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe

"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\cewks.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\cewks.exe

C:\Users\Admin\AppData\Local\Temp\\cewks.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\erwrb\vbhtkml.btv",crc32 C:\Users\Admin\AppData\Local\Temp\cewks.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 98.126.15.172:803 tcp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/2328-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2328-1-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2328-3-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2616-5-0x00000000001A0000-0x00000000001C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\cewks.exe

MD5 83f115c11fee444b9e62c58a9f94b66a
SHA1 fcd89b1a255535a343c374814951ee7fa1cf9f59
SHA256 e14ac228da14bff6ed9acb02ac522c5f3e69aad9ceaf88f21db9872bce88c9ba
SHA512 96e88d5af8900f7281299c1cf2f7b8422c5ad93ad76c56f61c2a2c15cdd17edb1973dd45cae7a691ba145df37c04145d0b2dce85937e5529230facc08abff9fb

memory/2616-8-0x00000000001A0000-0x00000000001C8000-memory.dmp

memory/2204-11-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\erwrb\vbhtkml.btv

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2948-14-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2948-15-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2948-19-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2948-20-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2948-21-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2948-26-0x0000000010000000-0x0000000010022000-memory.dmp