Malware Analysis Report

2024-11-13 18:05

Sample ID 241110-bw62tawjgw
Target c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7
SHA256 c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7
Tags
bootkit discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7

Threat Level: Shows suspicious behavior

The file c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:30

Reported

2024-11-10 01:33

Platform

win7-20240903-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A
N/A N/A \??\c:\Program Files\rernfs\qttqvp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\rernfs\\qttqvp.exe \"c:\\Program Files\\rernfs\\qttqvp.dll\",SetHandle" \??\c:\Program Files\rernfs\qttqvp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\rernfs\qttqvp.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\rernfs\qttqvp.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\rernfs\qttqvp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\rernfs C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A
File created \??\c:\Program Files\rernfs\qttqvp.dll C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A
File created \??\c:\Program Files\rernfs\qttqvp.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A
File opened for modification \??\c:\Program Files\rernfs\qttqvp.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\njenhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\rernfs\qttqvp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\rernfs\qttqvp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\rernfs\qttqvp.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\rernfs\qttqvp.exe N/A
N/A N/A \??\c:\Program Files\rernfs\qttqvp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\rernfs\qttqvp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe
PID 2408 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe
PID 2408 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe
PID 2408 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\njenhd.exe
PID 2656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe \??\c:\Program Files\rernfs\qttqvp.exe
PID 2656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe \??\c:\Program Files\rernfs\qttqvp.exe
PID 2656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe \??\c:\Program Files\rernfs\qttqvp.exe
PID 2656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\njenhd.exe \??\c:\Program Files\rernfs\qttqvp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe

"C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\njenhd.exe "C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\njenhd.exe

C:\Users\Admin\AppData\Local\Temp\\njenhd.exe "C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

\??\c:\Program Files\rernfs\qttqvp.exe

"c:\Program Files\rernfs\qttqvp.exe" "c:\Program Files\rernfs\qttqvp.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\njenhd.exe

Network

Country Destination Domain Proto
US 98.126.40.20:803 tcp
US 98.126.40.20:803 tcp
US 98.126.40.18:3204 tcp
US 98.126.40.19:805 tcp
US 98.126.40.19:805 tcp
US 98.126.40.19:805 tcp
US 98.126.40.19:805 tcp
US 98.126.40.18:3204 tcp
US 98.126.40.18:3204 tcp
US 98.126.40.18:3204 tcp

Files

memory/3056-0-0x0000000000400000-0x000000000042F036-memory.dmp

memory/3056-2-0x0000000000400000-0x000000000042F036-memory.dmp

C:\Users\Admin\AppData\Local\Temp\njenhd.exe

MD5 8f9891c9efa5ec0de7f15133a2f8cceb
SHA1 952ae9bddfad6fbd4f8c4cbf3035317cbc5e7bc0
SHA256 801dfc6dab67e1c8eeda0019123395591cd4937efba7d06638e6c59b052bd43c
SHA512 4038a5917f5e7f9fe3479d712cda04af94c01149bf73c1c02506190e9f0867b0dd41568151ac59065417b09d3abfe1ecfcf0e35956666c05df65c446adc73ffc

memory/2408-5-0x00000000001A0000-0x00000000001D0000-memory.dmp

\Program Files\rernfs\qttqvp.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2656-14-0x0000000000400000-0x000000000042F036-memory.dmp

\??\c:\Program Files\rernfs\qttqvp.dll

MD5 0ee5e551abf7c08779b1a013ce1abeb4
SHA1 9a3f682c89a32a8ae691346099fc95b3a0b340b1
SHA256 58e7f56eefc54e4d4af11d1df228127ad41fb11e2f6ef1487ea19b9f1cefa189
SHA512 f388001389ba38b77f3b6ebae2b3342d00879a4857aa6a99c605b9df98d7ddb60c3fe8daf7abb8a05be82001dd1212aa9235b0392ed9db388dfe481b930405a8

memory/2712-25-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-24-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-22-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-21-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-26-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-31-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-32-0x0000000010000000-0x0000000010048000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:30

Reported

2024-11-10 01:33

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\osjjr\\sysyoeytc.exe \"c:\\Program Files\\osjjr\\sysyoeytc.dll\",SetHandle" \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\osjjr\sysyoeytc.exe C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A
File opened for modification \??\c:\Program Files\osjjr\sysyoeytc.exe C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A
File opened for modification \??\c:\Program Files\osjjr C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A
File created \??\c:\Program Files\osjjr\sysyoeytc.dll C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A
N/A N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\osjjr\sysyoeytc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4756 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4756 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4756 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe
PID 4756 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe
PID 4756 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe
PID 2728 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe \??\c:\Program Files\osjjr\sysyoeytc.exe
PID 2728 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe \??\c:\Program Files\osjjr\sysyoeytc.exe
PID 2728 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe \??\c:\Program Files\osjjr\sysyoeytc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe

"C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fnzqyukpt.exe "C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe

C:\Users\Admin\AppData\Local\Temp\\fnzqyukpt.exe "C:\Users\Admin\AppData\Local\Temp\c6adae7e97b413bc10b2ca22c411d913ce9c5d27b4fde0a3bd509feae546a7d7.exe"

\??\c:\Program Files\osjjr\sysyoeytc.exe

"c:\Program Files\osjjr\sysyoeytc.exe" "c:\Program Files\osjjr\sysyoeytc.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 98.126.40.20:803 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 98.126.40.18:3204 tcp
US 98.126.40.19:805 tcp
US 98.126.40.19:805 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 98.126.40.19:805 tcp
US 98.126.40.18:3204 tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 98.126.40.18:3204 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 98.126.40.18:3204 tcp

Files

memory/2612-0-0x0000000000400000-0x000000000042F036-memory.dmp

memory/2612-2-0x0000000000400000-0x000000000042F036-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fnzqyukpt.exe

MD5 77864874a9040e213c1e961ab311e9ae
SHA1 be646f5de0013c6c0025f69f08935c1b482e7677
SHA256 85a5f6319a9940c227644ed05dc1f8e49d30df6adff5dd18b22e8d1c1c70d562
SHA512 36fabdee39552571779b93593fd7114dcf1c6df3c5f1a55752e2ddc926f57256d219a142e3281eb49be3f79e14db1170ef9478357042d0c28f8b695411b55470

memory/2728-6-0x0000000000400000-0x000000000042F036-memory.dmp

C:\Program Files\osjjr\sysyoeytc.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/2728-13-0x0000000000400000-0x000000000042F036-memory.dmp

\??\c:\Program Files\osjjr\sysyoeytc.dll

MD5 ffa4c2adf4f65b9f06ae4c905d966cfb
SHA1 f0d5439b37d2278bd350ab903ad3814b9dd0f729
SHA256 63aed663e6f513e5a1a80b517b796fcfdc1098d89e0e377f01c0891f8870f0a9
SHA512 3081e90046f4197032348eecd606081ffd645267032a81a6f6873b52eb73daa860d9f5c66e10d612eef7ff9687dd6a4448cb00a4ce357dcc96359f0c82571c53

memory/3548-16-0x0000000010000000-0x0000000010048000-memory.dmp

memory/3548-17-0x0000000010000000-0x0000000010048000-memory.dmp

memory/3548-19-0x0000000010000000-0x0000000010048000-memory.dmp

memory/3548-21-0x0000000010000000-0x0000000010048000-memory.dmp