Malware Analysis Report

2025-06-16 04:03

Sample ID 221220-x965madh9w
Target $RTKOW1B.zip
SHA256 aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
Tags
icedid 3114391984 banker loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40

Threat Level: Known bad

The file $RTKOW1B.zip was found to be: Known bad.

Malicious Activity Summary

icedid 3114391984 banker loader trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Drops file in System32 directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 19:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 19:34

Reported

2022-12-20 20:04

Platform

win7-20221111-en

Max time kernel

1640s

Max time network

1598s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x47c

Network

N/A

Files

memory/868-54-0x000007FEFC131000-0x000007FEFC133000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 19:34

Reported

2022-12-20 20:04

Platform

win10v2004-20221111-en

Max time kernel

1791s

Max time network

1766s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

Signatures

IcedID, BokBot

trojan banker icedid

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\System32\GroupPolicy\User\Registry.pol C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3116" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3116" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3746" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1034" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9808" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11629" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1067" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9130" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1067" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1067" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11629" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8248" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9940" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9130" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9808" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9808" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8248" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1034" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9940" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9940" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11629" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9130" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3746" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1034" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3116" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3746" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8248" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 5068 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 5068 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 5068 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3868 wrote to memory of 3368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 3868 wrote to memory of 3368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4656 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4656 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 5000 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 5000 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 812 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 812 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2508 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2508 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2584 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2584 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 1872 wrote to memory of 3364 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 1872 wrote to memory of 3364 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4768 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4768 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap7296:114:7zEvent11495

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\rundll32.exe

rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 3512 -ip 3512

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3512 -s 5760

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetRunAsUserRegKeyFlow

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 8.248.99.254:80 tcp
N/A 104.208.16.90:443 tcp
N/A 8.248.99.254:80 tcp
N/A 8.248.99.254:80 tcp
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 104.80.225.205:443 tcp
N/A 8.247.211.254:80 tcp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 204.79.197.200:443 tcp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 8.8.8.8:53 cxcs.microsoft.net udp
N/A 23.0.87.20:443 cxcs.microsoft.net tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 8.8.8.8:53 spo-ring.msedge.net udp
N/A 13.107.136.254:443 spo-ring.msedge.net tcp
N/A 8.8.8.8:53 91c5860af7ca38fddd0837cf71f3a66d.clo.footprintdns.com udp
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 204.79.197.200:443 www.bing.com tcp

Files

C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd

MD5 9f19dd31900efd76299b3664eda0cd3a
SHA1 028b44165c9995cae1035e06bb2d15027add44f8
SHA256 43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f
SHA512 9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f

memory/2976-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

memory/4772-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

memory/4772-138-0x000002AE96BD0000-0x000002AE96BD9000-memory.dmp

memory/3368-144-0x0000000000000000-mapping.dmp

memory/4680-145-0x0000000000000000-mapping.dmp

memory/4424-146-0x0000000000000000-mapping.dmp

memory/3404-147-0x0000000000000000-mapping.dmp

memory/3876-148-0x0000000000000000-mapping.dmp

memory/3528-149-0x0000000000000000-mapping.dmp

memory/3364-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd

MD5 cc31d1d48706f236026b5b7f8ca0d87b
SHA1 5b6a8356ca69d4db720d2753ab4b999a0151297d
SHA256 da0ba8858c67f270b2c660fc882253fff8962261aff9cfee46425740ba48e554
SHA512 133228a495440dc66ca885e4f75e9f07b5d5f61c400af9f9d344c9779fbd3b0c9857819307d6531f60e1aae0a18084c6bfe0e158ad1379d4fac7906cd2ed7c4c

memory/4472-152-0x0000000000000000-mapping.dmp

memory/1836-161-0x00000230815C0000-0x00000230815E0000-memory.dmp

memory/1836-162-0x0000023080AB0000-0x0000023080AD0000-memory.dmp

memory/1836-167-0x000002308300A000-0x000002308300D000-memory.dmp

memory/1836-168-0x000002308300A000-0x000002308300D000-memory.dmp

memory/1836-169-0x000002308300A000-0x000002308300D000-memory.dmp

memory/1836-170-0x000002308300A000-0x000002308300D000-memory.dmp

memory/1836-173-0x000002308300F000-0x0000023083013000-memory.dmp

memory/1836-172-0x000002308300F000-0x0000023083013000-memory.dmp

memory/1836-175-0x000002308300F000-0x0000023083013000-memory.dmp

memory/1836-174-0x000002308300F000-0x0000023083013000-memory.dmp

memory/1836-176-0x000002308300F000-0x0000023083013000-memory.dmp

memory/1836-178-0x0000023081370000-0x0000023081470000-memory.dmp

memory/1836-179-0x00000230936E0000-0x00000230936E8000-memory.dmp

memory/1836-181-0x000002308302F000-0x0000023083032000-memory.dmp

memory/1836-183-0x000002308302F000-0x0000023083032000-memory.dmp

memory/1836-182-0x000002308302F000-0x0000023083032000-memory.dmp