Malware Analysis Report

2025-08-06 01:37

Sample ID 241016-2b89jszdmm
Target e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N
SHA256 e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25
Tags
bootkit discovery persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25

Threat Level: Likely malicious

The file e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer upx

Blocklisted process makes network request

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:25

Reported

2024-10-16 22:27

Platform

win7-20240708-en

Max time kernel

112s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vfwtt\\immmxis.mmi\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mdssq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2324 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mdssq.exe
PID 2324 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mdssq.exe
PID 2324 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mdssq.exe
PID 2324 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\mdssq.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2200 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mdssq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 2864 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2920 wrote to memory of 2864 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2920 wrote to memory of 2864 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2920 wrote to memory of 2864 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe

"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mdssq.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\mdssq.exe

C:\Users\Admin\AppData\Local\Temp\\mdssq.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\vfwtt\immmxis.mmi",crc32 C:\Users\Admin\AppData\Local\Temp\mdssq.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 98.126.15.172:803 tcp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/2560-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2560-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2560-3-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\mdssq.exe

MD5 6564211148a514180a0eb98b690426ee
SHA1 473102beca3f996f9f2fa030e8a77be8fd5547fb
SHA256 724fad6494867cda137a6ffd3f1dd8c279e1f996a5726023b25ac5a1ea4f706a
SHA512 2318789c0e7153d63a76010c289d93a1c93ad530c3e779ab3c2acfc01f74a91984caee0b643cf000a05c046f6acf84a654b407b99c19d3baf7b9cee09245097c

memory/2200-8-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2200-10-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\vfwtt\immmxis.mmi

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2920-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2920-14-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2920-18-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2920-19-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2920-20-0x0000000010000000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:25

Reported

2024-10-16 22:27

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gjdtv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gjdtv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\aecih\\rtbsq.tsr\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gjdtv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\taskkill.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3888 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3888 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3888 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gjdtv.exe
PID 3888 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gjdtv.exe
PID 3888 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gjdtv.exe
PID 3156 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\gjdtv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3156 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\gjdtv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3156 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\gjdtv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2772 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 3068 wrote to memory of 2772 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 3068 wrote to memory of 2772 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe

"C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gjdtv.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\gjdtv.exe

C:\Users\Admin\AppData\Local\Temp\\gjdtv.exe "C:\Users\Admin\AppData\Local\Temp\e399c67287b960692c4ea816d861e24f3cc8bc0fe75f7f8165aab20cae9d8d25N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\aecih\rtbsq.tsr",crc32 C:\Users\Admin\AppData\Local\Temp\gjdtv.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 98.126.15.172:803 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 98.126.15.170:3201 tcp

Files

memory/1448-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1448-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1448-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gjdtv.exe

MD5 e06f1eef31bfb5761294c274b862aca0
SHA1 98bf8504e076a0147898757ffacdc1a2e2653867
SHA256 b65fcd5c248418d3fd6f254e8af81e22250350c930b467beb720997e10d88b1e
SHA512 8d86675c357b67fbe04b7ce5b71c11149293da2f0a8ca19fb7b7e2e55c65053f230a63907dcf942882d5dd89db7a6b7639870c313772449efc34810e8b17729a

memory/3156-7-0x0000000000630000-0x0000000000631000-memory.dmp

memory/3156-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\aecih\rtbsq.tsr

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/3068-12-0x0000000010000000-0x0000000010022000-memory.dmp

memory/3068-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/3068-15-0x0000000010000000-0x0000000010022000-memory.dmp

memory/3068-17-0x0000000010000000-0x0000000010022000-memory.dmp