Malware Analysis Report

2024-11-13 18:06

Sample ID 241110-bwvzjsyrhr
Target 285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50
SHA256 285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50
Tags
bootkit discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50

Threat Level: Shows suspicious behavior

The file 285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:30

Reported

2024-11-10 01:32

Platform

win7-20241010-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A
N/A N/A \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\qytdplx\\hvmxwh.exe \"c:\\Program Files\\qytdplx\\hvmxwh.dll\",Compliance" \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\qytdplx C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A
File created \??\c:\Program Files\qytdplx\hvmxwh.dll C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A
File created \??\c:\Program Files\qytdplx\hvmxwh.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A
File opened for modification \??\c:\Program Files\qytdplx\hvmxwh.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\qytdplx\hvmxwh.exe N/A
N/A N/A \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\qytdplx\hvmxwh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2492 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2492 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2492 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2492 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe
PID 2492 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe
PID 2492 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe
PID 2492 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe
PID 2912 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe \??\c:\Program Files\qytdplx\hvmxwh.exe
PID 2912 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe \??\c:\Program Files\qytdplx\hvmxwh.exe
PID 2912 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe \??\c:\Program Files\qytdplx\hvmxwh.exe
PID 2912 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe \??\c:\Program Files\qytdplx\hvmxwh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe

"C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\stmxnwbp.exe "C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe

C:\Users\Admin\AppData\Local\Temp\\stmxnwbp.exe "C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

\??\c:\Program Files\qytdplx\hvmxwh.exe

"c:\Program Files\qytdplx\hvmxwh.exe" "c:\Program Files\qytdplx\hvmxwh.dll",Compliance C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe

Network

Country Destination Domain Proto
US 107.163.241.181:16300 tcp
US 107.163.241.181:16300 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.182:12354 tcp
US 107.163.241.182:12354 tcp
US 107.163.43.144:12388 107.163.43.144 tcp
US 107.163.241.182:12354 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp

Files

memory/2876-0-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2876-2-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2876-1-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2876-4-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2492-7-0x0000000000120000-0x000000000016A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\stmxnwbp.exe

MD5 d58d4b88f301864f9d8f0bd57f05727f
SHA1 0e0e5469c5ca41f0da088afb5b17e5291c717291
SHA256 3e794c82e026ca9cab45895f53ff99d2d2c04aa7b105ef6b59efd97e53654ebe
SHA512 c415957f88e3a7fe182744aa47681b4ac6d5c61bcf1e2d27f0b0e8e681564f72771105b4be7fecc56c4129a46bba5aee23d6908374d3ca39ea9eca490bb9c216

memory/2912-11-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2912-10-0x0000000000400000-0x000000000044901D-memory.dmp

\Program Files\qytdplx\hvmxwh.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2912-19-0x0000000000400000-0x000000000044901D-memory.dmp

\??\c:\Program Files\qytdplx\hvmxwh.dll

MD5 17af6f69350838f4c8faa6564fe8490c
SHA1 d0aab946a4e4d836a6724fd234b7e71714496a29
SHA256 c4bdc300c7aeb0cf56c1a54a985a1561d84068293684c7e527847df68f20d348
SHA512 043a9ec16200a4770ed859c10c7b0e3aa53fec8833a357439dcfe2d6bc6a17ac5b72e76c11067eac9d17601ca9de757669c9a72dcf9dd955d17fe673e0c38bdb

memory/3068-26-0x0000000010000000-0x000000001004E000-memory.dmp

memory/3068-27-0x0000000010000000-0x000000001004E000-memory.dmp

memory/3068-30-0x0000000010000000-0x000000001004E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:30

Reported

2024-11-10 01:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\mzzoupfq\\jqxx.exe \"c:\\Program Files\\mzzoupfq\\jqxxq.dll\",Compliance" \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\mzzoupfq C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A
File created \??\c:\Program Files\mzzoupfq\jqxxq.dll C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A
File created \??\c:\Program Files\mzzoupfq\jqxx.exe C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A
File opened for modification \??\c:\Program Files\mzzoupfq\jqxx.exe C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zubckk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A
N/A N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\mzzoupfq\jqxx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1592 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1592 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1592 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zubckk.exe
PID 1592 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zubckk.exe
PID 1592 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zubckk.exe
PID 2344 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\zubckk.exe \??\c:\Program Files\mzzoupfq\jqxx.exe
PID 2344 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\zubckk.exe \??\c:\Program Files\mzzoupfq\jqxx.exe
PID 2344 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\zubckk.exe \??\c:\Program Files\mzzoupfq\jqxx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe

"C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zubckk.exe "C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\zubckk.exe

C:\Users\Admin\AppData\Local\Temp\\zubckk.exe "C:\Users\Admin\AppData\Local\Temp\285ebc26488f13638fbcbb9f002d60699dfdbbe66317e63e8cd42c48bb853a50.exe"

\??\c:\Program Files\mzzoupfq\jqxx.exe

"c:\Program Files\mzzoupfq\jqxx.exe" "c:\Program Files\mzzoupfq\jqxxq.dll",Compliance C:\Users\Admin\AppData\Local\Temp\zubckk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 107.163.241.181:16300 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.182:12354 tcp
US 107.163.241.182:12354 tcp
US 107.163.43.144:12388 107.163.43.144 tcp
US 8.8.8.8:53 144.43.163.107.in-addr.arpa udp
US 107.163.241.182:12354 tcp
US 107.163.241.193:6520 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp
US 107.163.241.193:6520 tcp

Files

memory/1860-0-0x0000000000400000-0x000000000044901D-memory.dmp

memory/1860-2-0x0000000000400000-0x000000000044901D-memory.dmp

memory/1860-1-0x0000000000400000-0x000000000044901D-memory.dmp

memory/1860-5-0x0000000000400000-0x000000000044901D-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zubckk.exe

MD5 975a4437ad2b7826d5369d5119ad2f43
SHA1 e434a345f106dc3ab58e704dde64c631330914ea
SHA256 1f2d7effd00becd86f4785959a3c94154e7601c6feb8162b08462488b3fd162f
SHA512 592f3f6245913f01aafdfaa38ae5f1ffb354920318af65bb76a6f3bc5890efd275a19a62a8df9a33855485b265b0410a025c44fb82030bdcfe318042cf7713a2

memory/2344-10-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2344-9-0x0000000000400000-0x000000000044901D-memory.dmp

memory/2344-11-0x0000000000400000-0x000000000044901D-memory.dmp

C:\Program Files\mzzoupfq\jqxx.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/2344-17-0x0000000000400000-0x000000000044901D-memory.dmp

\??\c:\Program Files\mzzoupfq\jqxxq.dll

MD5 33a6272ed204b5cc49bc8f51d29366ee
SHA1 8ae133ceb89e75b703308192f1ba3497125f7d56
SHA256 090483f7e72af5b57a6c400d7ccf504a3605776d1d04ffd91ff5b955d1a530a6
SHA512 2ce23ee6948ba65fb55e38f6d4cb70e8c6776f99177ab582d4b103b950fd0e1e9fb00e7fc2d46ffa1498024b0107ebb50ee7ca3bacf0d272f133af0c81a9ac00

memory/4364-21-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4364-22-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4364-25-0x0000000010000000-0x000000001004E000-memory.dmp