Malware Analysis Report

2024-08-06 12:11

Sample ID 240616-f1zwhsvfkk
Target 3c6fd2d056ed6d09b0ac9d34de202353.exe
SHA256 b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c
Tags
asyncrat quasar 05kan24 discovery persistence rat spyware trojan njrat evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c

Threat Level: Known bad

The file 3c6fd2d056ed6d09b0ac9d34de202353.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar 05kan24 discovery persistence rat spyware trojan njrat evasion

njRAT/Bladabindi

AsyncRat

Quasar payload

Quasar RAT

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Modifies system certificate store

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 05:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:23

Platform

win7-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2436 set thread context of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1680 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1680 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1680 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2724 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1680 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1656 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1656 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1656 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1656 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1656 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2436 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1680 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1960 wrote to memory of 276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 276 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 276 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 276 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 276 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 276 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 276 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 276 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 276 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 276 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 276 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 276 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe

"C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc.\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwFdXi9sizUj.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/1536-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1536-42-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1536-40-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

memory/1960-59-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1960-60-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1960-61-0x0000000000400000-0x0000000000724000-memory.dmp

\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

C:\Users\Admin\AppData\Local\Temp\Cab2CDC.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/1680-93-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5C39.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\IwFdXi9sizUj.bat

MD5 6c99630d892cb07aed4f5bcf4cc51f27
SHA1 d5d2dce6002b88ecb30738246d98cbfbbbf77ff9
SHA256 52760581978378726b26c2a4c7560768e241e2ffdb3f28675dcbf0aa6a287fa1
SHA512 efffaa8127ee3df1cbcc900aecfdb574f233ea84653302cb34e46c50bc189170c0c822f4480a4f17a4a9d061c88ef59c39eceaaf26230e3e9346c1d6a4523bf5

memory/2240-118-0x0000000000E80000-0x0000000000E8C000-memory.dmp

memory/1680-139-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:23

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1968 set thread context of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2684 set thread context of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2868 set thread context of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3484 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1968 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 3484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2684 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3484 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 3484 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2868 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3484 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3484 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3484 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 4720 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 4720 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 4720 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 208 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2444 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2444 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2444 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2444 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2444 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2444 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2444 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2444 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe

"C:\Users\Admin\AppData\Local\Temp\3c6fd2d056ed6d09b0ac9d34de202353.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssrCmZ8DtWqt.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/3288-41-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

memory/3288-51-0x000000007312E000-0x000000007312F000-memory.dmp

memory/4720-54-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4720-57-0x0000000005350000-0x00000000053EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

memory/4720-65-0x00000000059A0000-0x0000000005F44000-memory.dmp

memory/208-68-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

memory/208-78-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/208-83-0x0000000005590000-0x000000000559A000-memory.dmp

memory/208-84-0x0000000006600000-0x0000000006C18000-memory.dmp

memory/208-85-0x0000000006150000-0x00000000061A0000-memory.dmp

memory/208-86-0x00000000063C0000-0x0000000006472000-memory.dmp

memory/3484-87-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssrCmZ8DtWqt.bat

MD5 ae70aa448a28735e47cd42ec55225e8f
SHA1 ab9f81fa7096d069d91bf60c6f37e791f5032579
SHA256 34713c6c8a76b6b7faf8d78aa134bbd4ca961802b978fbddad01bca92fe27c5e
SHA512 50d6d155ee093df2e26fbececd69700d9114295c59867a1c0abfb313cfbf4b822a147c430dbe202b1c11f96b64a76010758625269c9a0f3fec138ad510bf8945

memory/972-95-0x0000000000870000-0x000000000087C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

MD5 38b07cd5da5c740e9629fd801dc26e5a
SHA1 42816159ab9367165cf58603b09b134d488c1690
SHA256 20049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483
SHA512 1769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a

memory/972-96-0x0000000001800000-0x000000000181A000-memory.dmp

memory/3288-97-0x000000007312E000-0x000000007312F000-memory.dmp

memory/3484-100-0x0000000000400000-0x0000000000448000-memory.dmp