Malware Analysis Report

2025-06-16 03:31

Sample ID 220815-qv8lksbcdl
Target SecuriteInfo.com.W32.AIDetectNet.01.24354.12062
SHA256 e95133b41a680c6eefc46c572c77c90ec1597046bfd5a7d6d6199ed566b43457
Tags
blustealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e95133b41a680c6eefc46c572c77c90ec1597046bfd5a7d6d6199ed566b43457

Threat Level: Known bad

The file SecuriteInfo.com.W32.AIDetectNet.01.24354.12062 was found to be: Known bad.

Malicious Activity Summary

blustealer persistence stealer

BluStealer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 13:36

Reported

2022-08-15 13:38

Platform

win7-20220812-en

Max time kernel

44s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qejae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ibiwfo\\Qejae.exe\"" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ocdms.exe\" .." C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1940 set thread context of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1940 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 908 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 908 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 908 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 908 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 908 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 908 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 908 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 908 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

"C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe"

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

"C:\Users\Admin\AppData\Local\Temp\Ocdms.exe"

Network

N/A

Files

memory/1940-54-0x00000000008C0000-0x0000000000AA0000-memory.dmp

memory/1940-55-0x0000000004C00000-0x0000000004D4A000-memory.dmp

memory/1940-56-0x0000000004D50000-0x0000000004E08000-memory.dmp

memory/1940-57-0x0000000075C61000-0x0000000075C63000-memory.dmp

memory/1940-58-0x0000000004E80000-0x0000000004F12000-memory.dmp

memory/1428-59-0x0000000000000000-mapping.dmp

memory/1428-61-0x000000006FFB0000-0x000000007055B000-memory.dmp

memory/1428-62-0x000000006FFB0000-0x000000007055B000-memory.dmp

memory/908-63-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-64-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-66-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-67-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-69-0x000000000047AF5E-mapping.dmp

memory/908-71-0x0000000000400000-0x0000000000480000-memory.dmp

memory/908-73-0x0000000000400000-0x0000000000480000-memory.dmp

\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

memory/1640-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

memory/1556-80-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

memory/908-86-0x0000000000565000-0x0000000000576000-memory.dmp

memory/1556-85-0x000007FEF2DA0000-0x000007FEF37C3000-memory.dmp

memory/1556-87-0x000007FEEEF90000-0x000007FEF0026000-memory.dmp

memory/1556-88-0x000007FEFC1A1000-0x000007FEFC1A3000-memory.dmp

memory/1556-89-0x0000000000956000-0x0000000000975000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 13:36

Reported

2022-08-15 13:38

Platform

win10v2004-20220812-en

Max time kernel

83s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qejae = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ibiwfo\\Qejae.exe\"" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ocdms.exe\" .." C:\Users\Admin\AppData\Local\Temp\Ocdms.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 832 set thread context of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 832 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 368 wrote to memory of 3924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 368 wrote to memory of 3924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 368 wrote to memory of 3924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe
PID 368 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe
PID 368 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.24354.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

"C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe"

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

"C:\Users\Admin\AppData\Local\Temp\Ocdms.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
FR 40.79.150.121:443 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp

Files

memory/832-132-0x0000000000050000-0x0000000000230000-memory.dmp

memory/832-133-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/4864-134-0x0000000000000000-mapping.dmp

memory/4864-135-0x00000000028A0000-0x00000000028D6000-memory.dmp

memory/4864-136-0x0000000005340000-0x0000000005968000-memory.dmp

memory/4864-137-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4864-138-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/4864-139-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/4864-140-0x0000000007A00000-0x000000000807A000-memory.dmp

memory/4864-141-0x00000000066B0000-0x00000000066CA000-memory.dmp

memory/368-142-0x0000000000000000-mapping.dmp

memory/368-143-0x0000000000400000-0x0000000000480000-memory.dmp

memory/368-144-0x0000000005CF0000-0x0000000006294000-memory.dmp

memory/368-145-0x0000000005740000-0x00000000057D2000-memory.dmp

memory/368-146-0x00000000055F0000-0x00000000055FA000-memory.dmp

memory/3924-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

C:\Users\Admin\AppData\Local\Temp\Icwumtv.exe

MD5 43fad29e3e0cdba820580d0910c3cfdc
SHA1 939cdf1bb52f4e49192f9959bf539c644796b097
SHA256 edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e
SHA512 2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

memory/4344-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

C:\Users\Admin\AppData\Local\Temp\Ocdms.exe

MD5 143df79cc6329bb7d28a3914af42bad0
SHA1 bb40cbe713905da365bdfbfaa76b5afa2711500b
SHA256 c7caa2be3c12c49ed887e08a9f87afbbaef669f64ab5d9ab7a7e1acd95a99f5e
SHA512 face945582b4b52c35c7335caf2ba0e40296f029412e0b9f0a6fcb7764b3574ffabcd0fa7ba41d22ef9570c93f55a0ce058124f9efe279740bbd7b02b2459aa8

memory/4344-155-0x00007FFC853C0000-0x00007FFC85DF6000-memory.dmp