Malware Analysis Report

2024-12-07 21:00

Sample ID 220731-pgmlhsgdhq
Target 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
Tags
persistence adwind agenttesla collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903

Threat Level: Known bad

The file 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903 was found to be: Known bad.

Malicious Activity Summary

persistence adwind agenttesla collection keylogger spyware stealer trojan

AgentTesla

AdWind

Executes dropped EXE

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-31 12:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 12:18

Reported

2022-07-31 17:02

Platform

win7-20220718-en

Max time kernel

132s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows defender = "C:\\Users\\Admin\\AppData\\Local\\winint.exe -boot" C:\Users\Admin\AppData\Local\winint.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1124 set thread context of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\winint.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\winint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1544 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1544 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1544 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1124 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe

"C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe" "C:\Users\Admin\AppData\Local\winint.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"

C:\Users\Admin\AppData\Local\winint.exe

"C:\Users\Admin\AppData\Local\winint.exe"

C:\Users\Admin\AppData\Local\winint.exe

"C:\Users\Admin\AppData\Local\winint.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp

Files

memory/1212-54-0x0000000000D50000-0x0000000000EBC000-memory.dmp

memory/1212-55-0x0000000000470000-0x0000000000490000-memory.dmp

memory/1212-56-0x0000000075731000-0x0000000075733000-memory.dmp

memory/1648-57-0x0000000000000000-mapping.dmp

memory/1544-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

memory/1124-61-0x0000000000000000-mapping.dmp

memory/1124-63-0x00000000002E0000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

memory/268-66-0x00000000004D0CFE-mapping.dmp

memory/268-69-0x0000000000080000-0x0000000000156000-memory.dmp

memory/268-68-0x0000000000080000-0x0000000000156000-memory.dmp

memory/268-73-0x0000000000080000-0x0000000000156000-memory.dmp

memory/268-76-0x0000000000080000-0x0000000000156000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 12:18

Reported

2022-07-31 17:03

Platform

win10v2004-20220721-en

Max time kernel

186s

Max time network

196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe"

Signatures

AdWind

trojan adwind

AgentTesla

keylogger trojan stealer spyware agenttesla

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\winint.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\winint.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\winint.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\winint.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows defender = "C:\\Users\\Admin\\AppData\\Local\\winint.exe -boot" C:\Users\Admin\AppData\Local\winint.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe" C:\Users\Admin\AppData\Local\winint.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4976 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\winint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\winint.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\winint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\winint.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1792 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 1792 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 4976 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Users\Admin\AppData\Local\winint.exe
PID 2804 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 2804 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\winint.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 676 wrote to memory of 3968 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 676 wrote to memory of 3968 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 676 wrote to memory of 2260 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 676 wrote to memory of 2260 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\winint.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\winint.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe

"C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903.exe" "C:\Users\Admin\AppData\Local\winint.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"

C:\Users\Admin\AppData\Local\winint.exe

"C:\Users\Admin\AppData\Local\winint.exe"

C:\Users\Admin\AppData\Local\winint.exe

"C:\Users\Admin\AppData\Local\winint.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.433483681671281155511643121366733428.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1179796693329618571.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1179796693329618571.vbs

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp
FR 2.18.109.224:443 tcp
DE 51.116.253.169:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp

Files

memory/1232-130-0x0000000000980000-0x0000000000AEC000-memory.dmp

memory/1232-131-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/1232-132-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/1232-133-0x0000000005470000-0x000000000547A000-memory.dmp

memory/412-134-0x0000000000000000-mapping.dmp

memory/1792-135-0x0000000000000000-mapping.dmp

memory/4976-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

memory/4976-139-0x00000000083C0000-0x000000000845C000-memory.dmp

memory/2804-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\winint.exe

MD5 00026f4df326d91be6e5af6ad63dd440
SHA1 169e64b787d11edc1a0198304c3594c715b36c15
SHA256 5f560bb8c58fe280ae46406f98e3024c2fc2e165ddeaedcbc92e257f5b35f903
SHA512 f0d8c8cc4434a4817baf6d8e67c971e61008350c0dcf91e015f75c3f6b37af0c46cd8299688d5a9791cf1a6c5bd904674e34ae0f8ee369f093de9dffc98b7273

memory/2804-143-0x0000000000570000-0x0000000000646000-memory.dmp

memory/2804-144-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/676-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar

MD5 7da7000ca39ce69997bbcad56fa8d180
SHA1 5178465612c87a838fdfaa03b2148baf05a71768
SHA256 9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8
SHA512 5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4

memory/2804-149-0x00000000069A0000-0x00000000069F0000-memory.dmp

memory/676-157-0x00000000026B0000-0x00000000036B0000-memory.dmp

memory/3968-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.433483681671281155511643121366733428.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 f5806393a6420115e71b89ececefe49b
SHA1 ffb2a36c183de6d4963375b117dc43e94b58505e
SHA256 ce034f4c1b0320e2d17238e340472cd7adb0d5239d9269c8a08cbf289bf257b8
SHA512 fb4a3393f8e73d1d21df60a89a2aae217fb31de38067ae5f5bad35b328f8e1b706c82f7730fa078ad895be227046173babe3c44d4feaaa9238abbca2c8e2b6c5

memory/3968-169-0x00000000029B0000-0x00000000039B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2372564722-193526734-2636556182-1000\83aa4cc77f591dfc2374580bbd95f6ba_e2a67401-6492-4cbf-87ab-b664c084dada

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/3968-178-0x00000000029B0000-0x00000000039B0000-memory.dmp

memory/2260-180-0x0000000000000000-mapping.dmp