Malware Analysis Report

2024-10-23 19:49

Sample ID 240312-dv4amseh9y
Target f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
SHA256 f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04
Tags
chaos remcos xworm zgrat remotehost persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04

Threat Level: Known bad

The file f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe was found to be: Known bad.

Malicious Activity Summary

chaos remcos xworm zgrat remotehost persistence ransomware rat spyware stealer trojan

Chaos

Xworm

ZGRat

Remcos

Detect ZGRat V1

Detect Xworm Payload

Chaos Ransomware

Detects Windows executables referencing non-Windows User-Agents

Detects command variations typically used by ransomware

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Renames multiple (202) files with added filename extension

Drops startup file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 03:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 03:20

Reported

2024-03-12 03:23

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Remcos

rat remcos

Xworm

trojan rat xworm

ZGRat

rat zgrat

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects command variations typically used by ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (202) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\ProgramData\sysupdate\sysupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\ProgramData\sysupdate\sysupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04 = "C:\\Users\\Admin\\AppData\\Roaming\\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe" C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43vsxyqb2.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shout.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\sysupdate\sysupdate.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 3884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 3884 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3884 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 3164 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 3164 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 3164 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2056 wrote to memory of 1556 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2056 wrote to memory of 1556 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2056 wrote to memory of 1556 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2056 wrote to memory of 1556 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1556 wrote to memory of 1092 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1556 wrote to memory of 1092 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1556 wrote to memory of 1092 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1556 wrote to memory of 1092 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1556 wrote to memory of 4644 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 4644 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 4388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4644 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

"C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"

C:\Users\Admin\AppData\Local\Temp\sysupdate.exe

"C:\Users\Admin\AppData\Local\Temp\sysupdate.exe"

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

C:\ProgramData\sysupdate\sysupdate.exe

"C:\ProgramData\sysupdate\sysupdate.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://i.imgflip.com/1p7cdj.jpg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9287046f8,0x7ff928704708,0x7ff928704718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17819959161974484079,8529234428873015741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\shout.exe

"C:\Users\Admin\AppData\Local\Temp\shout.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 178.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 gamemodz.duckdns.org udp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 133.96.128.45.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 45.128.96.133:7000 gamemodz.duckdns.org tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 i.imgflip.com udp
US 104.18.255.14:443 i.imgflip.com tcp
US 8.8.8.8:53 14.255.18.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
NL 45.128.96.133:7000 gamemodz.duckdns.org tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3884-1-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3884-0-0x00000000000B0000-0x0000000000326000-memory.dmp

memory/3884-2-0x0000000004E10000-0x0000000005040000-memory.dmp

memory/3884-3-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-6-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-4-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-8-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-10-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-12-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-14-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-16-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-18-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-20-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-24-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-22-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-28-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-26-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-30-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-32-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-36-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-40-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-38-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-42-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-34-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-44-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-46-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-48-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-50-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-54-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-56-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-58-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-60-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-62-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-66-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-64-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-52-0x0000000004E10000-0x000000000503A000-memory.dmp

memory/3884-3426-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3884-4780-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/3884-4781-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/3884-4782-0x00000000054D0000-0x0000000005548000-memory.dmp

memory/3884-4783-0x0000000005550000-0x000000000559C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysupdate.exe

MD5 bdfa7710dfc213d8babcd7348440deeb
SHA1 ecd7d6ad5a3e0cc8c24ce1f12a40b0c86a769f98
SHA256 79ec51c588fccbe876f58de8a0256e27de65aa14f245615c42bd92cc640063fe
SHA512 663eb74fba1e38d3f930c0d73787309f86b85852cbccae1b44d3056a6073a95494c1526dc98d132f84a71e379babc5bd6819e76643f82fcd5591e264825fb2ee

memory/3884-4792-0x0000000006330000-0x00000000068D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe.log

MD5 ef1b4e3bfd6facbbb8d6a12f5f5e32de
SHA1 8f3ef66bf86f1697c520303c78b11d58165d146f
SHA256 c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1
SHA512 b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315

memory/3884-4798-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3008-4800-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3008-4799-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3008-4801-0x0000000005070000-0x000000000510C000-memory.dmp

memory/1556-4839-0x0000000000F70000-0x0000000000FF2000-memory.dmp

memory/1092-4843-0x00000000012D0000-0x0000000001352000-memory.dmp

memory/3008-4850-0x0000000004FC0000-0x0000000005026000-memory.dmp

memory/3008-4851-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3008-4853-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/1556-4854-0x0000000000F70000-0x0000000000FF2000-memory.dmp

memory/3008-4864-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3008-4865-0x0000000006910000-0x00000000069A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1eb86108cb8f5a956fdf48efbd5d06fe
SHA1 7b2b299f753798e4891df2d9cbf30f94b39ef924
SHA256 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512 e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

\??\pipe\LOCAL\crashpad_4644_MTJBWSPTOOLGEGNF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f35bb0615bb9816f562b83304e456294
SHA1 1049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA256 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512 db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b3b0b9b61a1bb691c806f6bca93c73d8
SHA1 7b22b905ab4b7affa5aaa32956b580b88c5c0526
SHA256 50676629ffbd6ebe20a06bbc18e939d6c0c785dfe192916a653dbac269cebfea
SHA512 e2c591fabc3b12980f907cb01c3cfa237a8611d270ac30a0efc7ace3ad7c815c3940c3fc4cd8655c65ddabd02a5fdf38f4c2bf52047c81124b903943711fbf2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 12686e6e746662a9d6770912c65184d2
SHA1 44025094f6f34e26099c99ed9b95d8c54ea46bdf
SHA256 5e65218ab2d5d6c8353dd5fa909d7ad1e35a092c06cecdd8d1946e041efb0193
SHA512 3ab992672238da9f762ca249b7286a2806590a004436dd9dfec3968309b3f7d80d9df65b818badc60b37236c26a723a5f328e630e34215c98dd9d9ae36cdbd14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0fd7f7d233f1c953c9d16d12b52f5407
SHA1 761a7f674138fb23b7ac60e1bb489654a49e8e54
SHA256 380a981bd177b00f4c5badd1c59d70d15948e5a337c6191524c5cc37540a1ca6
SHA512 0d686647cdf610b87619f6d86b9f6ddaf49c5204533987edf5ec84c04359e4d4b0886f8b472d000b0993d572ca063a19e6f26c8370556a453d8b0baf4f9d6d7b

C:\Users\Admin\AppData\Local\Temp\shout.exe

MD5 7051dcbe9a0837a312b09a5ae3b42430
SHA1 3553ff8725a57929e438228bf141b695c13cecb4
SHA256 ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644
SHA512 2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

memory/5460-4933-0x00000000005A0000-0x00000000005BC000-memory.dmp

memory/5460-4934-0x00007FF915320000-0x00007FF915DE1000-memory.dmp

memory/5460-4947-0x00007FF915320000-0x00007FF915DE1000-memory.dmp

memory/5576-4948-0x00007FF915320000-0x00007FF915DE1000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 ee20a3aaf13c2d8805ede471f1f3ed3c
SHA1 bac14bc149af77885de0f6997fe3f3bf3f9686ad
SHA256 b9afbd14a42e996a8de6eba45b8a6df17a958f1b269913eab89484f62d373919
SHA512 8dea66d1bb1ee359b61fa32e3a45a1d66cf8987fdbec4218ef258b58aaaf9475e77bff2d40f9f28f4a75f321de6f86de6f42ab3cd7afee4e213ffbe3ae03f714

memory/3008-5405-0x0000000006540000-0x000000000654A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d77adc90f879235928243a3cb7a14a3b
SHA1 196b4b89bcb3a7cc8d89221c9e38bd20ea114ab6
SHA256 07d732c7bba7df4c5775be3e9e7d9df860a9b50e8d73ee627e8b42126d0ade8a
SHA512 ba5731068cc3f77b0e02cd50f620721f92c83f01eb782cf7129d48d448dc9c4f07085090b56bf1eaa4692303000c64b8bf3e5c387e3f51ef516d940703ac6d84

memory/5576-5426-0x00007FF915320000-0x00007FF915DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b21ae766b110e1629786f5da99de89a2
SHA1 4cb98cf651feff75456ef21ff8e783582ad50e17
SHA256 c8e2d1be2bb7db63fdea39880d0f6f4c170540e270b7adeaaaf38994b93a6683
SHA512 0ad80718132200b865696c208e545ac1b982378424ba9ecd754a5adf87f9e6a0ac3a7f19c516dbe883e7cbd82e0d6c8b0970fd6ad47e0e2a8647e4ef5f96857c

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 03:20

Reported

2024-03-12 03:23

Platform

win7-20240221-en

Max time kernel

168s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Remcos

rat remcos

Xworm

trojan rat xworm

ZGRat

rat zgrat

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
N/A N/A C:\ProgramData\sysupdate\sysupdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\ProgramData\sysupdate\sysupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\ProgramData\sysupdate\sysupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04 = "C:\\Users\\Admin\\AppData\\Roaming\\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe" C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-FEY33U = "\"C:\\ProgramData\\sysupdate\\sysupdate.exe\"" C:\Users\Admin\AppData\Local\Temp\sysupdate.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\sysupdate\sysupdate.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\sysupdate.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2932 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2372 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\sysupdate.exe C:\ProgramData\sysupdate\sysupdate.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2444 wrote to memory of 2656 N/A C:\ProgramData\sysupdate\sysupdate.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

"C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe"

C:\Users\Admin\AppData\Local\Temp\sysupdate.exe

"C:\Users\Admin\AppData\Local\Temp\sysupdate.exe"

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

C:\Users\Admin\AppData\Local\Temp\f0ebd23eac064a10da288dbf3b9db45bdf5e107c970e57f7974710cad01aed04.exe

C:\ProgramData\sysupdate\sysupdate.exe

"C:\ProgramData\sysupdate\sysupdate.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 gamemodz.duckdns.org udp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 45.128.96.133:7000 gamemodz.duckdns.org tcp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp
NL 45.128.96.133:2404 gamemodz.duckdns.org tcp

Files

memory/2932-0-0x0000000074B60000-0x000000007524E000-memory.dmp

memory/2932-1-0x0000000000920000-0x0000000000B96000-memory.dmp

memory/2932-2-0x0000000004CE0000-0x0000000004F10000-memory.dmp

memory/2932-3-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-4-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-6-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-8-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-10-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-12-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-14-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-16-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-18-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-20-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-22-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-24-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-26-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-28-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-30-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-32-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-34-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-36-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-38-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-40-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-42-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-44-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-46-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-48-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-50-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-52-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-54-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-56-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-58-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-60-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-62-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-64-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-66-0x0000000004CE0000-0x0000000004F0A000-memory.dmp

memory/2932-3615-0x0000000074B60000-0x000000007524E000-memory.dmp

memory/2932-4780-0x0000000002940000-0x0000000002980000-memory.dmp

memory/2932-4781-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2932-4782-0x0000000005470000-0x00000000054E8000-memory.dmp

memory/2932-4783-0x00000000008D0000-0x000000000091C000-memory.dmp

\Users\Admin\AppData\Local\Temp\sysupdate.exe

MD5 bdfa7710dfc213d8babcd7348440deeb
SHA1 ecd7d6ad5a3e0cc8c24ce1f12a40b0c86a769f98
SHA256 79ec51c588fccbe876f58de8a0256e27de65aa14f245615c42bd92cc640063fe
SHA512 663eb74fba1e38d3f930c0d73787309f86b85852cbccae1b44d3056a6073a95494c1526dc98d132f84a71e379babc5bd6819e76643f82fcd5591e264825fb2ee

memory/2932-4802-0x0000000074B60000-0x000000007524E000-memory.dmp

memory/2352-4808-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/2352-4809-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2352-4842-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/2352-4844-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/2352-4847-0x0000000004B00000-0x0000000004B40000-memory.dmp