Malware Analysis Report

2024-10-23 19:42

Sample ID 240124-lwmchsfdbp
Target LEIDA IMPEX SRL TRADING CO. INQUIRY.jar
SHA256 44fbccda88d6e6050b012ee0d4d32c20a832f6ffe1d90158f4b0a3d42578ae18
Tags
darkcloud stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44fbccda88d6e6050b012ee0d4d32c20a832f6ffe1d90158f4b0a3d42578ae18

Threat Level: Known bad

The file LEIDA IMPEX SRL TRADING CO. INQUIRY.jar was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer discovery

DarkCloud

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 09:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 09:53

Reported

2024-01-24 09:55

Platform

win7-20231129-en

Max time kernel

143s

Max time network

118s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"

Signatures

DarkCloud

stealer darkcloud

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\alWFwCPZYm.exe N/A
N/A N/A C:\Users\Admin\xXM7jN.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\xXM7jN.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\alWFwCPZYm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\xXM7jN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2276 N/A C:\Windows\system32\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 1884 wrote to memory of 2276 N/A C:\Windows\system32\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 1884 wrote to memory of 2276 N/A C:\Windows\system32\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 1884 wrote to memory of 2276 N/A C:\Windows\system32\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\system32\java.exe C:\Users\Admin\xXM7jN.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\system32\java.exe C:\Users\Admin\xXM7jN.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\system32\java.exe C:\Users\Admin\xXM7jN.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\system32\java.exe C:\Users\Admin\xXM7jN.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\xXM7jN.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\xXM7jN.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\xXM7jN.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2412 N/A C:\Users\Admin\xXM7jN.exe C:\Windows\SysWOW64\WerFault.exe
PID 2276 wrote to memory of 2432 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2432 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2432 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2432 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1932 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 1932 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 1932 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 1932 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2276 wrote to memory of 1824 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"

C:\Users\Admin\alWFwCPZYm.exe

C:\Users\Admin\alWFwCPZYm.exe

C:\Users\Admin\xXM7jN.exe

"C:\Users\Admin\xXM7jN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZxmqkq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZxmqkq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

N/A

Files

memory/1884-6-0x00000000024D0000-0x00000000054D0000-memory.dmp

memory/1884-10-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\alWFwCPZYm.exe

MD5 58eac77d1aa3ff75210f7ed838a2b2d1
SHA1 d8614698478d7f1c66867aeece4323ba985f808f
SHA256 8f290eafa3d91156164ca70cb019c4cfe8aa4c597decadc5590fba6702974ed9
SHA512 0286ba716a1d426e6c8f98ad9fe9954b54135e4112dca737f7a9e9599c5d160fa3f8668f108548eb978b3ffb06fa992d9ed882c59d47088fbbf54899a92dbdc7

C:\Users\Admin\alWFwCPZYm.exe

MD5 200f2fe8d562d184fc9863ddbf0e95c8
SHA1 33797d41be7b611063f6fb7a3e39f73a6262eb68
SHA256 b33d5c8ec05997b6a789545572867f1c99640baa05cfe2eb6fff91de5152f885
SHA512 780994418614242a28955d484c87fe1d3c552165feee49019771bcdf346a8e408371db8f0d68344e05c8e40be2b256f14616ac8292a2eeae9b3b467cde7185fd

memory/2276-21-0x0000000001190000-0x000000000126E000-memory.dmp

C:\Users\Admin\xXM7jN.exe

MD5 47be3e83ec08edb76de9ecb7f566a746
SHA1 598a46b9f7b721e5ca92136bb03f6e5b2a719403
SHA256 38de8c55f982ce0020138b434450288f92a4021ed5fc739b5edee0ff1c731061
SHA512 833445e031581afcf8cc17ef66f82a5aee22903fb916565296b2eaaf1d57eca5be18c862f9f54953a6eb2e460373b15a1140cede49a13ae75e4f9de1832ff2ae

C:\Users\Admin\xXM7jN.exe

MD5 2d4688243e467c2ab4b663a93b60ce1a
SHA1 74e3d1d84907b7b0b609fc871589a754d6468bf1
SHA256 0a3f899b9c96e5409fd0e4cda05946bbb03c8c6ffe6cdc6417ddedb2028d15e9
SHA512 8cdfe7a4dcbbeab474889b5c8c5544a5d3b736571f1bdcf3cd9fe197072a9c3945004f83500ab8a7669144008451a8dff18717e40911d017e133a3f5299cec21

C:\Users\Admin\xXM7jN.exe

MD5 b5b885a9364af1d12775a15b6d5085f1
SHA1 83c01d72699b6dfafdf9cacbbfa8bdbb5679be94
SHA256 fa044aa2c24825d2ab0ef1861c44a9ebeb35818632e4a73a508b2650f6953304
SHA512 1555415b73b1dcfb5296f8389b523a3f26acae5e543cdcc9fd0d15d7005de6345bd441fb567cbeccfd91dcdf6b16455e6978ac5e260b83fb71a162fcaedccf9b

memory/2276-26-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/2716-30-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/2716-29-0x0000000000180000-0x000000000025E000-memory.dmp

memory/2276-32-0x0000000004840000-0x0000000004880000-memory.dmp

memory/2716-31-0x0000000004A70000-0x0000000004AB0000-memory.dmp

memory/2716-33-0x0000000000420000-0x0000000000438000-memory.dmp

memory/1884-40-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1884-36-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1884-34-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1884-41-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2716-42-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2276-43-0x0000000000920000-0x000000000092C000-memory.dmp

memory/2716-44-0x00000000056B0000-0x000000000575C000-memory.dmp

memory/2276-45-0x00000000734F0000-0x0000000073BDE000-memory.dmp

\Users\Admin\xXM7jN.exe

MD5 68bb2e7cb0458ec74cb2a6a1f0340079
SHA1 ef835ab6c7b5a12304e39f48604bf60844883a74
SHA256 f97e451aa5d0567cb5bb86aa1512730a5c5f885778ec38a030a553b97502fbfc
SHA512 398ec6efc051e8fddae6d0fe23bf771f80f138c5e79ae87c80481c14e1dd4b7c48eeed183223f28ce3fb3ecf91afdf3bab2b674719d21b0cfbd3deb97e6b55ae

\Users\Admin\xXM7jN.exe

MD5 00f0350335eda0bfea6e66cfadd8e47d
SHA1 f2f389163bbfad1e4e9d8aa82841ed6a51a1b7fd
SHA256 ee1be26cf9c729fa4f69485b862d6914d5bd29eb475a55ac20033b0cb1c2ec88
SHA512 de800db9d0ab28398cfb226fc93f2a06bb2b7a4cb6f7be0630072c91d2967c525232c580df9971412d3618f04438c07f986327c1adc43784925131a430111ac8

C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp

MD5 d4f7a36de6b965659e253861f14f2054
SHA1 fb4716216d3f75dfbbd0e49ca55a9afcddd990e7
SHA256 e7004db110f0c2ab42c62737234e4ccca048dee78c2d8b4a2dc3b073e4545a76
SHA512 2ca8ca88ffbb3545ca36d64bbd6ed004013e7ade49759e6820db68777a69a16ca5fe5df3f144919afa0991b05792083d459ae11fa4955c40e100b6bef1a4c4ac

\Users\Admin\xXM7jN.exe

MD5 41270dfb714e4ab0896d50703fb49a4c
SHA1 0b5596ea5ebc335a60b2bf43c8e5ae747c4c8a7f
SHA256 7acc8377eb60581e1dfb7012cb8f7738d5d2284dc8b0c956e8612458d2bc02ff
SHA512 cdfe0df8f822282404d7704afadc8df5b8d1b092a1f73410735db35dea780ea6d90bcafe4a131a07e4c5fd1d02537cc1f78516a2444231ef6dcd1c599e3e2850

\Users\Admin\xXM7jN.exe

MD5 46f9b1955e49c2fbe747d4e6c6a0b1a9
SHA1 eff7dc65fcd6266cf6e45d0c45c6e9651d9aff55
SHA256 fbf6317a3fb8be6bd2c14657a735be9ae3987340d14db8c6b91d4a6f632bc134
SHA512 ecc0b210b43a23e35baaa71862e658bc008245ac4710d0d05aed167361088516fb6021c0505e28ab8758802816ce2c52df8d404acb7be443886c6a577d375401

\Users\Admin\xXM7jN.exe

MD5 6e2206b17b0e0ac9d4fc0b939d1ccc06
SHA1 a3e4cc8d3f44edd96aaf1ab15e5b3d0d97c982b1
SHA256 419f950c4e3f5a5b2c686d5d6548f12bd0556498a02df9518c5201c0c8274ff3
SHA512 916b418c15ea97737a1657464af3781a7477bc4907053ebba7a020e21188a18b688d3719dd9b8432c202233fd9cddfb2a26c78d4b6f867b083a55b27115937b6

memory/1824-58-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1824-59-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2716-61-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/2276-69-0x00000000734F0000-0x0000000073BDE000-memory.dmp

memory/2432-71-0x000000006DA90000-0x000000006E03B000-memory.dmp

memory/2432-76-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2716-75-0x0000000004A70000-0x0000000004AB0000-memory.dmp

memory/2432-74-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2432-73-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2432-72-0x000000006DA90000-0x000000006E03B000-memory.dmp

memory/1824-67-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1824-65-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1824-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1824-60-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2432-77-0x000000006DA90000-0x000000006E03B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 09:53

Reported

2024-01-24 09:55

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"

Signatures

DarkCloud

stealer darkcloud

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\alWFwCPZYm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\alWFwCPZYm.exe N/A
N/A N/A C:\Users\Admin\xXM7jN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\xXM7jN.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\alWFwCPZYm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\xXM7jN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 4268 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4664 wrote to memory of 4268 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4664 wrote to memory of 1848 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 4664 wrote to memory of 1848 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 4664 wrote to memory of 1848 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\alWFwCPZYm.exe
PID 4664 wrote to memory of 4508 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\xXM7jN.exe
PID 4664 wrote to memory of 4508 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\xXM7jN.exe
PID 4664 wrote to memory of 4508 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\xXM7jN.exe
PID 1848 wrote to memory of 2284 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2284 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2284 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2444 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2444 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2444 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1848 wrote to memory of 2724 N/A C:\Users\Admin\alWFwCPZYm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Users\Admin\alWFwCPZYm.exe

C:\Users\Admin\alWFwCPZYm.exe

C:\Users\Admin\xXM7jN.exe

"C:\Users\Admin\xXM7jN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1284

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZxmqkq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZxmqkq.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4664-4-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 31238beea1da2441e737243c7bf7eef1
SHA1 3dca080f1b8d273f4141fcfcd563bafbe3cf6e19
SHA256 cf3fd3c008c48db96c9892214c6ae5190c299c1bea44d029db1bdd0cb779740b
SHA512 bb5606d4845226c35cbcdbae0bc32af9819f83c5ac3f5caa05faf7803d1971499e44fe850a79f920282a39b134d53a21aa753bb3932345c87035bf2bedebe43e

memory/4664-12-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

memory/4664-18-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

C:\Users\Admin\alWFwCPZYm.exe

MD5 ee32f219486ce1932227f04eebf658c9
SHA1 4e09377d4c70f802976cdf3e4ca1147031fddb90
SHA256 09dca263933ec219226d1f0da9d886e7c5ddf5fef52f3a0232f8e6fc07a7db5d
SHA512 ca3c4e744bc7f72a21cae45c2155e57cb334d5b98233ed420d6b2de762085621b85564f4a279d7539f704364f3703eff0f9e07ce2fa2a872f1aa3608f9e91940

C:\Users\Admin\alWFwCPZYm.exe

MD5 6b51945da574b5a59949da9ec64634ac
SHA1 4b5d014cd2fbfe841635958f290f2bfb5d6aa8c4
SHA256 b1a7b2f08874731e125d79556afc3fb4689e2472971beb42ff709fe2c15caa8d
SHA512 0a95ec7e5a9726e931c791d89ed218e8ba9c3fcb6fa08ec2b3ee319142773486b3b0531bfddd69f92fec66b4c0715e388193ed4760e924e82bad899528ed620e

memory/1848-30-0x0000000000CB0000-0x0000000000D8E000-memory.dmp

memory/4664-31-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

memory/1848-32-0x0000000005C40000-0x00000000061E4000-memory.dmp

C:\Users\Admin\xXM7jN.exe

MD5 486b2bfa2c194ec6bac4582f90ec5abf
SHA1 92c8fe1a9027a3918b1324ca010ae6bc2cbc6e59
SHA256 9d4a521e9a4370d4fa97783403cfdc12489a2ec8b19c56508aac149491e66517
SHA512 007a7dfc4ea48523c8233bcae086d33106d0dfb6483e2bc270e172180abbd8604112cb74daaf204eb81cceb2e20cab8464491a569467c0fc0c027238f6191275

memory/4664-34-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/1848-33-0x0000000005770000-0x0000000005802000-memory.dmp

memory/1848-62-0x0000000005810000-0x0000000005B64000-memory.dmp

C:\Users\Admin\xXM7jN.exe

MD5 9e5a5cd97d0d2fd85c73eb768b71eafa
SHA1 a67af7b93c92dc65c3cbec84ecc1d82e4b50bf99
SHA256 ac5ba2f18dee1e8f6700e63f5ac09831ebdd725b24b3c83fcf5280023455518c
SHA512 2f44ee8a86277344b0a2c9223e4107f85abd03e57a8c0c8fe7ec2af309559e6a7eea16e6475c157891402e54a79dca09e9250bbbefb5fdb23510ce990ac45007

C:\Users\Admin\xXM7jN.exe

MD5 d1428f4056286654353dce96ec2d51ef
SHA1 5c8b5b9aa451a659e5d131ee290bbcbc27f4b2d8
SHA256 7efded20320193cdab8e8aa636c477d87376a1851b4ac036b2b1b5c94cc77b50
SHA512 2b55969ddf1cf682cc4116ff32ba98626dca16fce4a207e327908b3884fad82d853d5a613ff2ae90d2e8bec265d93d1da9e6bb9958b01778eee1945c8b0f1746

memory/1848-65-0x0000000006310000-0x000000000631A000-memory.dmp

memory/4664-66-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/4664-71-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/1848-70-0x0000000006D60000-0x0000000006D78000-memory.dmp

memory/4664-69-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

memory/4664-75-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/4664-77-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

memory/1848-79-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4664-80-0x0000020E9ABF0000-0x0000020E9AC00000-memory.dmp

memory/4664-81-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/4508-82-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

memory/4664-78-0x0000020E990F0000-0x0000020E990F1000-memory.dmp

memory/4508-83-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4508-84-0x0000000006F80000-0x0000000006F88000-memory.dmp

memory/4508-85-0x00000000070B0000-0x00000000070BC000-memory.dmp

memory/4508-86-0x0000000007540000-0x00000000075EC000-memory.dmp

memory/1848-87-0x0000000009AB0000-0x0000000009B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp

MD5 3ba1e01e023355281bf152bf2af6bcb7
SHA1 d96da9eb2d2de95775c6af47e4e210d1c0c2e600
SHA256 49c6985bfec5e7f0649ee264697daab57cb7bd77f301ef63bbec57e0156be9f3
SHA512 e56459ca7ad15ca9189ab1cb7024aa1545b9af32bae900db68019bcf2c2eeffa942d45b91bb38639205b47502a6808cadf3ce4016e8415ab9c5f6912686df2f6

memory/2284-95-0x0000000005340000-0x0000000005968000-memory.dmp

memory/2724-96-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2284-97-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/2284-94-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/1848-101-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2724-99-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4664-104-0x0000020E9A970000-0x0000020E9B970000-memory.dmp

memory/2724-118-0x0000000000400000-0x000000000046C000-memory.dmp

memory/4508-120-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2284-119-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/2284-117-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/2284-116-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/2284-121-0x0000000006000000-0x000000000601E000-memory.dmp

memory/4508-115-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

memory/2284-110-0x0000000005270000-0x0000000005292000-memory.dmp

memory/2284-122-0x0000000006020000-0x000000000606C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc5ptew0.w3s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2284-93-0x0000000002720000-0x0000000002756000-memory.dmp

memory/2284-137-0x00000000071F0000-0x0000000007293000-memory.dmp

memory/2284-136-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/2284-135-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/2284-139-0x0000000007350000-0x000000000736A000-memory.dmp

memory/2284-140-0x00000000073C0000-0x00000000073CA000-memory.dmp

memory/2284-138-0x0000000007990000-0x000000000800A000-memory.dmp

memory/2284-125-0x0000000075540000-0x000000007558C000-memory.dmp

memory/2284-141-0x00000000075D0000-0x0000000007666000-memory.dmp

memory/2284-142-0x0000000007550000-0x0000000007561000-memory.dmp

memory/2284-124-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

memory/2284-123-0x000000007FC10000-0x000000007FC20000-memory.dmp

memory/2284-143-0x0000000007580000-0x000000000758E000-memory.dmp

memory/2284-144-0x0000000007590000-0x00000000075A4000-memory.dmp

memory/2284-146-0x0000000007670000-0x0000000007678000-memory.dmp

memory/2284-145-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/2284-149-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2724-150-0x0000000000400000-0x000000000046C000-memory.dmp