Malware Analysis Report

2024-12-07 02:01

Sample ID 241111-ywhesatrez
Target 601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N
SHA256 601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2
Tags
upx bootkit discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2

Threat Level: Shows suspicious behavior

The file 601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit discovery persistence spyware stealer

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 20:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 20:08

Reported

2024-11-11 20:10

Platform

win7-20240903-en

Max time kernel

113s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A
N/A N/A \??\c:\Program Files\auyvkvt\wye.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dtfd = "c:\\Program Files\\auyvkvt\\wye.exe \"c:\\Program Files\\auyvkvt\\wyebm.dll\",DoAddToFavDlg" \??\c:\Program Files\auyvkvt\wye.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\auyvkvt\wye.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\auyvkvt\wye.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\auyvkvt\wye.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\auyvkvt\wyebm.dll C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A
File created \??\c:\Program Files\auyvkvt\wye.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A
File opened for modification \??\c:\Program Files\auyvkvt\wye.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A
File opened for modification \??\c:\Program Files\auyvkvt C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\auyvkvt\wye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\auyvkvt\wye.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\auyvkvt\wye.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\auyvkvt\wye.exe N/A
N/A N/A \??\c:\Program Files\auyvkvt\wye.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\auyvkvt\wye.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe
PID 2816 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe
PID 2816 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe
PID 2816 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe
PID 2268 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe \??\c:\Program Files\auyvkvt\wye.exe
PID 2268 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe \??\c:\Program Files\auyvkvt\wye.exe
PID 2268 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe \??\c:\Program Files\auyvkvt\wye.exe
PID 2268 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe \??\c:\Program Files\auyvkvt\wye.exe

Processes

C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe

"C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\kmuagebk.exe "C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe

C:\Users\Admin\AppData\Local\Temp\\kmuagebk.exe "C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

\??\c:\Program Files\auyvkvt\wye.exe

"c:\Program Files\auyvkvt\wye.exe" "c:\Program Files\auyvkvt\wyebm.dll",DoAddToFavDlg C:\Users\Admin\AppData\Local\Temp\kmuagebk.exe

Network

Country Destination Domain Proto
US 107.160.131.253:18659 tcp
KR 107.163.56.110:18530 107.163.56.110 tcp
US 107.160.131.253:18659 tcp
US 8.8.8.8:53 host123.zz.am udp
US 107.160.131.254:23588 tcp
US 107.160.131.254:23588 tcp
US 107.160.131.254:23588 tcp
US 107.160.131.254:23588 tcp

Files

memory/3012-0-0x0000000000400000-0x000000000048D000-memory.dmp

memory/3012-2-0x0000000000400000-0x000000000048D000-memory.dmp

\Users\Admin\AppData\Local\Temp\kmuagebk.exe

MD5 061523caef0d161f1441941e65eef8ab
SHA1 78e6bc3a7111056d8257a74abbb46ea1be319f5c
SHA256 2363c2daabbd20be46e384dccaa6a51b68a622ba60976ff5c06d8bc7e08b36d8
SHA512 ea440292623388052ee319ed12fd36cb60b78d78048156dde44c9ee52eeacd644d8a966fb68e5d0a0121cf874838b7d94a033fbca5ccfe16561a0f193fcf996e

memory/2816-5-0x00000000002D0000-0x000000000035D000-memory.dmp

\Program Files\auyvkvt\wye.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2268-14-0x0000000000400000-0x000000000048D000-memory.dmp

\??\c:\Program Files\auyvkvt\wyebm.dll

MD5 c8a9582695889882e27b3fb11e2f18f2
SHA1 3e131d7029ea7fd05cd9b50a6bd8e4a0cf138ff3
SHA256 2476ea397548af6a6956d995e9d8891f07345f112c9bf2996723f74c1ad6191f
SHA512 beec0d7c16a0daacc8fdd62a0d647898516f9dcf1a5514641e7d65eae0607e54e20ed818d7226f981f574a7faa4265885cda64e91a955caf3f20544d2e746259

memory/1828-23-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1828-25-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-24-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-22-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-21-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-26-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-27-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1828-31-0x0000000010000000-0x0000000010052000-memory.dmp

memory/1828-32-0x0000000010000000-0x0000000010052000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 20:08

Reported

2024-11-11 20:10

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dtfd = "c:\\Program Files\\mzidgf\\krxfj.exe \"c:\\Program Files\\mzidgf\\krxfj.dll\",DoAddToFavDlg" \??\c:\Program Files\mzidgf\krxfj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\mzidgf\krxfj.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\mzidgf\krxfj.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\mzidgf\krxfj.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\mzidgf C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A
File created \??\c:\Program Files\mzidgf\krxfj.dll C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A
File created \??\c:\Program Files\mzidgf\krxfj.exe C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A
File opened for modification \??\c:\Program Files\mzidgf\krxfj.exe C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Program Files\mzidgf\krxfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\mzidgf\krxfj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\mzidgf\krxfj.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A
N/A N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\mzidgf\krxfj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2768 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe
PID 2768 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe
PID 2768 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe
PID 5076 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe \??\c:\Program Files\mzidgf\krxfj.exe
PID 5076 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe \??\c:\Program Files\mzidgf\krxfj.exe
PID 5076 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe \??\c:\Program Files\mzidgf\krxfj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe

"C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ixqhgtmx.exe "C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe

C:\Users\Admin\AppData\Local\Temp\\ixqhgtmx.exe "C:\Users\Admin\AppData\Local\Temp\601f7df2828a77fd168393bd97b3e60b8382bbb56ec566fa3de5672e5e5770a2N.exe"

\??\c:\Program Files\mzidgf\krxfj.exe

"c:\Program Files\mzidgf\krxfj.exe" "c:\Program Files\mzidgf\krxfj.dll",DoAddToFavDlg C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 107.160.131.253:18659 tcp
KR 107.163.56.110:18530 tcp
US 8.8.8.8:53 host123.zz.am udp
US 107.160.131.254:23588 tcp
US 107.160.131.254:23588 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 host123.zz.am udp
US 107.160.131.254:23588 tcp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp
US 8.8.8.8:53 host123.zz.am udp

Files

memory/3188-0-0x0000000000400000-0x000000000048D000-memory.dmp

memory/3188-2-0x0000000000400000-0x000000000048D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ixqhgtmx.exe

MD5 079114f48d226a927ecfac0941f40301
SHA1 929fb8cde37846ba1eaa75ba64100cb80a65a4e6
SHA256 ceffa80b7d947834ae73cd8737e5b056a07ae622a649222fc38c26333b049791
SHA512 c8a8ae3ec88b612a94cc89b02fb2572c66641cbf660579af9a1f628d77cd18bed9f55261b6e067a8d980e31a28e93a1a31306b8db1cb19d6faed5633884cbfaf

C:\Program Files\mzidgf\krxfj.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/5076-10-0x0000000000400000-0x000000000048D000-memory.dmp

\??\c:\Program Files\mzidgf\krxfj.dll

MD5 781fc5cc759b2cd4f5edf7c30790795e
SHA1 5c008244b6532b35e89b21726b848c1ff3e1790f
SHA256 066bc57b9e1af6ff1db8027fac0be7a26d5a491168cd71a3a76e53782a6aded9
SHA512 4cc4d3bcc907b99881d0fe3dc5c3f7b2c5c75748376f6c1255920e9ace23e08f1ed72b23ef59548e9677acf913a695bb59fa0ff6cfab598a41ddef62f223a0cd

memory/4368-14-0x0000000010000000-0x0000000010052000-memory.dmp

memory/4368-15-0x0000000000800000-0x0000000000802000-memory.dmp

memory/4368-16-0x0000000010000000-0x0000000010052000-memory.dmp

memory/4368-17-0x0000000010000000-0x0000000010052000-memory.dmp

memory/4368-18-0x0000000010000000-0x0000000010052000-memory.dmp

memory/4368-19-0x0000000000800000-0x0000000000802000-memory.dmp

memory/4368-21-0x0000000010000000-0x0000000010052000-memory.dmp

memory/4368-23-0x0000000010000000-0x0000000010052000-memory.dmp