Malware Analysis Report

2025-01-02 05:55

Sample ID 240425-19b62afh67
Target 35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e
SHA256 35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e
Tags
sectoprat stealc rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e

Threat Level: Known bad

The file 35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e was found to be: Known bad.

Malicious Activity Summary

sectoprat stealc rat stealer trojan

Stealc

SectopRAT payload

SectopRAT

Detects Arechclient2 RAT

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 22:20

Reported

2024-04-25 22:25

Platform

win7-20240220-en

Max time kernel

287s

Max time network

288s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe"

Signatures

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 340 set thread context of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe
PID 2348 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe
PID 2348 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe
PID 2348 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2348 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe
PID 2820 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 340 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe

"C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe"

C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1t8.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.203:80 185.172.128.203 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.111:80 185.172.128.111 tcp
RU 91.215.85.66:15647 tcp

Files

memory/2348-2-0x0000000002CC0000-0x0000000002D2D000-memory.dmp

memory/2348-1-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2348-3-0x0000000000400000-0x0000000002C46000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1t8.0.exe

MD5 500ff9106af81f784b40acb38342f01e
SHA1 fa28d68a241db1ff4a40c5659b65d6cb1b4ae9bc
SHA256 55f2a97acc89f9991574ab48d97722932ed4006c589c9128475562cd6c5c2b8d
SHA512 a0e1a7d91522fe1c219f4f62568dc5b517b8a36a30c2a8ba19e4deec1ba7602186aeb31b19c00202ea777704c1366e435c131e901bb02e34a0e22ed9979ee6f3

memory/2112-21-0x0000000000270000-0x0000000000297000-memory.dmp

memory/2112-20-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2112-22-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2112-23-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1T81~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

\Users\Admin\AppData\Local\Temp\u1t8.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1t8.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u1t8.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

C:\Users\Admin\AppData\Local\Temp\u1t8.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

memory/2348-114-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/2348-108-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/2820-115-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/2820-116-0x0000000077350000-0x00000000774F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1t8.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2820-122-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/2820-123-0x0000000074070000-0x00000000741E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2cafd66

MD5 fc2e9802da61e1a1dcf4970c4e95d233
SHA1 6db7ee4dd0057ef1af505c1c0057cd44f12d7745
SHA256 a314b64dd25b7ee51a18fe989dd312e2b38b0065c21d5f3fc3614db08cdc4e53
SHA512 d09497b3124273cd68333cccd38efac6beb3fcdb5f47ef9d752ae1af2ee255495307383ef0a76c990192df7b0562f3d479bb68b2928fe69e2a17b5dda959a353

memory/340-125-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/340-127-0x0000000077350000-0x00000000774F9000-memory.dmp

memory/340-173-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/340-174-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/340-177-0x0000000074070000-0x00000000741E4000-memory.dmp

memory/2248-178-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2248-179-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2248-176-0x0000000072980000-0x00000000739E2000-memory.dmp

memory/2248-180-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2248-181-0x0000000072290000-0x000000007297E000-memory.dmp

memory/2248-182-0x0000000000C70000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp99B2.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2248-192-0x0000000072290000-0x000000007297E000-memory.dmp

memory/2248-193-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 22:20

Reported

2024-04-25 22:25

Platform

win10-20240404-en

Max time kernel

282s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe"

Signatures

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4832 set thread context of 4428 N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 set thread context of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.0.exe
PID 1268 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.0.exe
PID 1268 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.0.exe
PID 1268 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe
PID 1268 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe
PID 1268 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe
PID 4832 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4428 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4428 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4428 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4428 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe

"C:\Users\Admin\AppData\Local\Temp\35ca9546e5e3978eb88d48a3707f8b8f706ca9ad92a8354d5e3d16f1c093aa0e.exe"

C:\Users\Admin\AppData\Local\Temp\uz8.0.exe

"C:\Users\Admin\AppData\Local\Temp\uz8.0.exe"

C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.203:80 185.172.128.203 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 203.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
DE 185.172.128.111:80 185.172.128.111 tcp
US 8.8.8.8:53 111.128.172.185.in-addr.arpa udp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
RU 91.215.85.66:9000 tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1268-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/1268-2-0x00000000030D0000-0x000000000313D000-memory.dmp

memory/1268-3-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uz8.0.exe

MD5 500ff9106af81f784b40acb38342f01e
SHA1 fa28d68a241db1ff4a40c5659b65d6cb1b4ae9bc
SHA256 55f2a97acc89f9991574ab48d97722932ed4006c589c9128475562cd6c5c2b8d
SHA512 a0e1a7d91522fe1c219f4f62568dc5b517b8a36a30c2a8ba19e4deec1ba7602186aeb31b19c00202ea777704c1366e435c131e901bb02e34a0e22ed9979ee6f3

memory/836-10-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/836-11-0x0000000002450000-0x0000000002477000-memory.dmp

memory/836-12-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uz8.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

memory/836-14-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uz8.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/1268-88-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/1268-89-0x00000000030D0000-0x000000000313D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uz8.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\uz8.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\uz8.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/4832-95-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/4832-96-0x00007FFED5710000-0x00007FFED58EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uz8.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/4832-102-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/4832-103-0x0000000072470000-0x00000000725EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25cbf1f2

MD5 19a21e5f6de65a880be68ff953d9a1ea
SHA1 456d54201444a7cb9d09f117ef7d6889f4843304
SHA256 92dab138ae61ff8e9f50e3cbc3f6723ab522604ec80bfb5d8c39a4d8f868b6e3
SHA512 6dc707d31f1f5c910e8d1d8693d14a238e2ec13962a0a25ce1291856a8da944ac00eb9e8a864fc09c14cd441df28a80132a12ac165de92831b132d2f17379145

memory/4428-105-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/4428-107-0x00007FFED5710000-0x00007FFED58EB000-memory.dmp

memory/4428-109-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/4428-110-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/4428-113-0x0000000072470000-0x00000000725EB000-memory.dmp

memory/1536-112-0x0000000072A30000-0x0000000073DB3000-memory.dmp

memory/1536-116-0x0000000000900000-0x00000000009C6000-memory.dmp

memory/1536-117-0x0000000072240000-0x000000007292E000-memory.dmp

memory/1536-118-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/1536-119-0x0000000005410000-0x000000000590E000-memory.dmp

memory/1536-120-0x0000000005100000-0x0000000005110000-memory.dmp

memory/1536-121-0x0000000005110000-0x00000000052D2000-memory.dmp

memory/1536-122-0x0000000004F10000-0x0000000004F86000-memory.dmp

memory/1536-123-0x0000000004F90000-0x0000000004FE0000-memory.dmp

memory/1536-124-0x00000000028A0000-0x00000000028AA000-memory.dmp

memory/1536-125-0x0000000005F40000-0x000000000646C000-memory.dmp

memory/1536-126-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/1536-127-0x0000000005AD0000-0x0000000005B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2306.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/1536-137-0x0000000007450000-0x000000000745A000-memory.dmp

memory/1536-138-0x0000000072240000-0x000000007292E000-memory.dmp

memory/1536-139-0x0000000005100000-0x0000000005110000-memory.dmp