Malware Analysis Report

2024-09-11 15:39

Sample ID 240616-tsmswazdmg
Target @!SetUp_99705_!KéyCo͍dé#.zip
SHA256 d782a9f81bb7ea25e801c33f4d6fdec37db59c90f22241f27079d0197be42737
Tags
amadey stealc vidar xmrig ffb1b9 discovery miner spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d782a9f81bb7ea25e801c33f4d6fdec37db59c90f22241f27079d0197be42737

Threat Level: Known bad

The file @!SetUp_99705_!KéyCo͍dé#.zip was found to be: Known bad.

Malicious Activity Summary

amadey stealc vidar xmrig ffb1b9 discovery miner spyware stealer trojan upx

Detect Vidar Stealer

Amadey

xmrig

Stealc

Vidar

XMRig Miner payload

Reads data files stored by FTP clients

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 16:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:10

Platform

win11-20240508-en

Max time kernel

1789s

Max time network

1798s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1508s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:19

Platform

win11-20240611-en

Max time kernel

1486s

Max time network

1511s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country Destination Domain Proto
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:14

Platform

win11-20240611-en

Max time kernel

1483s

Max time network

1508s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\x86\HDHelper_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:16

Platform

win11-20240419-en

Max time kernel

1742s

Max time network

1752s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:19

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1509s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:20

Platform

win11-20240611-en

Max time kernel

1483s

Max time network

1508s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-process-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-process-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:15

Platform

win11-20240508-en

Max time kernel

1723s

Max time network

1733s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.21:443 tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240508-en

Max time kernel

1743s

Max time network

1753s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240508-en

Max time kernel

1738s

Max time network

1750s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1510s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:10

Platform

win11-20240508-en

Max time kernel

1741s

Max time network

1752s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:13

Platform

win11-20240508-en

Max time kernel

1741s

Max time network

1751s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:15

Platform

win11-20240611-en

Max time kernel

1487s

Max time network

1512s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\x86\VSLauncher_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:17

Platform

win11-20240508-en

Max time kernel

1665s

Max time network

1676s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:11

Platform

win11-20240611-en

Max time kernel

1799s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\JJJJEBGDAF.exe N/A
N/A N/A C:\ProgramData\KJKEHIIJJE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 3364 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4996 set thread context of 2748 N/A C:\ProgramData\JJJJEBGDAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1460 set thread context of 2328 N/A C:\ProgramData\KJKEHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 2328 set thread context of 2764 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2764 set thread context of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 3204 set thread context of 4080 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 4080 set thread context of 424 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3872 set thread context of 1304 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 1304 set thread context of 176 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3724 set thread context of 3236 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3236 set thread context of 1916 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4592 set thread context of 1124 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 1124 set thread context of 4420 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2392 set thread context of 948 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 948 set thread context of 5064 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\JJJJEBGDAF.exe N/A
N/A N/A C:\ProgramData\KJKEHIIJJE.exe N/A
N/A N/A C:\ProgramData\JJJJEBGDAF.exe N/A
N/A N/A C:\ProgramData\KJKEHIIJJE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\JJJJEBGDAF.exe N/A
N/A N/A C:\ProgramData\KJKEHIIJJE.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 3364 wrote to memory of 3640 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3364 wrote to memory of 3640 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3364 wrote to memory of 3640 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3364 wrote to memory of 3640 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3364 wrote to memory of 3640 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3640 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\JJJJEBGDAF.exe
PID 3640 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\JJJJEBGDAF.exe
PID 3640 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\JJJJEBGDAF.exe
PID 3640 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\KJKEHIIJJE.exe
PID 3640 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\KJKEHIIJJE.exe
PID 3640 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\KJKEHIIJJE.exe
PID 4996 wrote to memory of 2748 N/A C:\ProgramData\JJJJEBGDAF.exe C:\Windows\SysWOW64\ftp.exe
PID 4996 wrote to memory of 2748 N/A C:\ProgramData\JJJJEBGDAF.exe C:\Windows\SysWOW64\ftp.exe
PID 4996 wrote to memory of 2748 N/A C:\ProgramData\JJJJEBGDAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1460 wrote to memory of 2328 N/A C:\ProgramData\KJKEHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 1460 wrote to memory of 2328 N/A C:\ProgramData\KJKEHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 1460 wrote to memory of 2328 N/A C:\ProgramData\KJKEHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 3640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2560 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2560 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4996 wrote to memory of 2748 N/A C:\ProgramData\JJJJEBGDAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1460 wrote to memory of 2328 N/A C:\ProgramData\KJKEHIIJJE.exe C:\Windows\SysWOW64\ftp.exe
PID 2748 wrote to memory of 2880 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2748 wrote to memory of 2880 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2748 wrote to memory of 2880 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2748 wrote to memory of 2880 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2328 wrote to memory of 2764 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2764 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 3204 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3204 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3204 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3204 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 4080 wrote to memory of 424 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4080 wrote to memory of 424 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4080 wrote to memory of 424 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4080 wrote to memory of 424 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3872 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3872 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3872 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3872 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 1304 wrote to memory of 176 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1304 wrote to memory of 176 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1304 wrote to memory of 176 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1304 wrote to memory of 176 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3724 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3724 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3724 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe
PID 3724 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\help\fxcloud.exe C:\Windows\SysWOW64\ftp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\ProgramData\JJJJEBGDAF.exe

"C:\ProgramData\JJJJEBGDAF.exe"

C:\ProgramData\KJKEHIIJJE.exe

"C:\ProgramData\KJKEHIIJJE.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFHDGDGIIDGC" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Users\Admin\AppData\Roaming\help\fxcloud.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 feeldog.xyz udp
US 172.67.133.78:443 feeldog.xyz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
AU 40.79.173.41:443 tcp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 104.21.16.123:443 businessdownloads.ltd tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 199.232.196.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/2112-0-0x00007FFA03BA0000-0x00007FFA03D1A000-memory.dmp

memory/2112-11-0x00007FFA03BB8000-0x00007FFA03BB9000-memory.dmp

memory/2112-12-0x00007FFA03BA0000-0x00007FFA03D1A000-memory.dmp

memory/2112-13-0x00007FFA03BA0000-0x00007FFA03D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8c677b04

MD5 2b71d256b63979fa4a9b007e82269083
SHA1 2797d5f8036ae47a4a45b5d03105f35d7b72b8f9
SHA256 883e11a2191fc112836339e7cbe39a6fffcf860b97b1e88f5fb66fc848743a88
SHA512 cd85e8b2b37c85b1c23951832fbbcd0309c7761082718209d4015b10b1b7cfb3b30cd9d05fdb1a121e091fba4da70ca9fac3a51303063a37416f0185522e5e3b

memory/3364-16-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3640-22-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/3640-24-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

memory/3640-25-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/3640-28-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/3640-29-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\AFHDGDGIIDGC\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AFHDGDGIIDGC\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\JJJJEBGDAF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4996-110-0x0000000000A30000-0x0000000000F43000-memory.dmp

C:\ProgramData\KJKEHIIJJE.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1460-121-0x00000000000D0000-0x0000000000318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1f03c853

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/1460-133-0x0000000072080000-0x00000000721FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1e68c80e

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4996-134-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

memory/1460-135-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

memory/4996-131-0x0000000072080000-0x00000000721FD000-memory.dmp

memory/3640-136-0x0000000001600000-0x0000000001D4B000-memory.dmp

C:\ProgramData\AFHDGDGIIDGC\EHDHID

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/3640-170-0x0000000001600000-0x0000000001D4B000-memory.dmp

C:\ProgramData\AFHDGDGIIDGC\CBKJJJ

MD5 c8260d37073d07384063820fcd97cb1c
SHA1 25324c500695d19e4a0a0824228576a59f9abe58
SHA256 29391ff5068cfd037ed486db2fd2bc780731ca952df39377240aa4456f176560
SHA512 ffbba119b938f8227907792b8a7853daf8c8279c9f3e0f4408ddb324b21a75d093e8790efe4a7e6876b171a2cffb71022cd7a8d2f4fd1ac5b813c5aec4d6bd4b

C:\ProgramData\AFHDGDGIIDGC\GIIIIJ

MD5 41ac544896c59f0f47c5422e8d8cbe3c
SHA1 4fac0744d1c5eb1fb9da3b9fac67f690639c1ebc
SHA256 a46a88cd9a2318aa069993b23acf27db06f528ca5bdbebee717e25b38a5dc45a
SHA512 83ab24023f5b16bc5d549a8d934cfe9f1a79bc87f3c579992e6cf885cb9f14e2facef8b83d1af7b141fb23285d1509779da17236a587436127a9ccacedcb9e35

memory/3640-192-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/4996-193-0x0000000072080000-0x00000000721FD000-memory.dmp

memory/1460-195-0x0000000072080000-0x00000000721FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20e4c42c

MD5 7aad7b3827a56efa1310bde1e61f1876
SHA1 6c1cb21d346ee088a76f1be79190262490e0b366
SHA256 001dc11ea6a0f2229a3231baa5801251e89fa09b9da9058a494c01ec65df9a82
SHA512 19ffb6fe220df8390e9613ef71cf8dd4a33af8f851642d22b907f7c20fe2f33e2f3b1b0f63d2981f665c0dc7c5167671370583213260a1b555799e4b9eec2633

C:\Users\Admin\AppData\Local\Temp\212be496

MD5 c22560bf2a7c145ff7485f888b3bbc69
SHA1 7eb043f94c9ad8a975d0839989be867cd1854253
SHA256 ea759c345dc96fdfa101ce39ecac91925bd016c59c20d9b252971e37bae7d929
SHA512 5235d38d16875187a6f7c5e224f2e4ecdcc9eb611bd45a2d0c35a1937270467e700de02c1eeb5dbbd71e28ec38ee75836f992d5c1991ba47199fa82d7f0fb1b5

memory/2748-199-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

memory/2328-200-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

C:\ProgramData\AFHDGDGIIDGC\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AFHDGDGIIDGC\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AFHDGDGIIDGC\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/2328-206-0x0000000072080000-0x00000000721FD000-memory.dmp

memory/2748-216-0x0000000072080000-0x00000000721FD000-memory.dmp

memory/2880-221-0x00007FFA25460000-0x00007FFA25669000-memory.dmp

memory/2764-220-0x00007FFA03410000-0x00007FFA04AB0000-memory.dmp

memory/2880-224-0x0000000000C80000-0x0000000000CF1000-memory.dmp

memory/2764-225-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2704-229-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-231-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-232-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-233-0x000001C480930000-0x000001C480950000-memory.dmp

memory/2704-235-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-237-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-236-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-234-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2704-238-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2880-240-0x0000000000C80000-0x0000000000CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e87df931

MD5 72353b311708a89ba1eb5243308c43b6
SHA1 dae955de13b11347d887efd92fa70dfe6c19dd77
SHA256 11547bfa308ef84e5566413c0e0a92bce2adeb49be10ac19f546771b3b1f4af4
SHA512 097ade48e83c2581494e8a9ae18c5caa359293de9cbb6ff703e0309e6ae738b93b42667f4923de2effb4604bac4daadf3503d2a4190cc45460e69f176fa9ea28

C:\Windows\Tasks\Watcher Com SH.job

MD5 4878392882afaa41a93bb5f5ced317ee
SHA1 86c6d6c7f515103ea833ffff23b377f3d57a7d96
SHA256 7e2403b6da1f96d3930fced2f5338937ae207288ab8ac950158512b7e019ae91
SHA512 82f796edf5b26402b82c1ea8ad2285822a1725abe1df5ad1d0bb510ac08fded24fb3ba141ca8bc5d8ad4951d92d46ec6c4f98107a7799bc6695d0b2d65c58d5b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MSBuild.exe.log

MD5 5dd6ecdc4507cc0f897cded9ebeb94b4
SHA1 afd42365a5a8fa71f506a3d34960f8ed459cfd86
SHA256 8b410de677f095f88c42c69c716a9383b94ceb86ca90666188fcd4f4df7fc9fa
SHA512 078e5c9b8062420ef2c3a3a816961e957b0daa7f7a2ecd92689d0399febda98a0c727d1cd9b286adce1c132b9efbd383179867cc494831d4679d9e3805d51a06

C:\Users\Admin\AppData\Local\Temp\e4586341

MD5 b7495385d1708242b17ee69ba5f717bc
SHA1 60d78070ae0744afb58a97884bbdb1a5eff44808
SHA256 897ef55ce9dc5f1010b10378f149db9a9114fada6f505aae97df532bd3fbb48b
SHA512 9cf0716ffa1fcfef3775041e619982c2094a03b7ac1bd90ec1657193a6c1b437cb487a01a6f9c7f80621d1d2baf1c8d5be86719a23cdce8505a63a0d1e2484a5

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:19

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1509s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:19

Platform

win11-20240508-en

Max time kernel

1759s

Max time network

1769s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-locale-l1-1-0.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:10

Platform

win11-20240508-en

Max time kernel

1796s

Max time network

1800s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_desktop_sleep_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_desktop_sleep_plugin.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:12

Platform

win11-20240508-en

Max time kernel

1740s

Max time network

1750s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tray_manager_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tray_manager_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:12

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1502s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:17

Platform

win11-20240508-en

Max time kernel

1739s

Max time network

1749s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240611-en

Max time kernel

1490s

Max time network

1502s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-util-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-util-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240611-en

Max time kernel

1491s

Max time network

1508s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:12

Platform

win11-20240419-en

Max time kernel

1743s

Max time network

1754s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:14

Platform

win11-20240611-en

Max time kernel

1484s

Max time network

1508s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\windows_single_instance_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\windows_single_instance_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:14

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1510s

Command Line

"C:\Users\Admin\AppData\Local\Temp\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\x86\NvStereoUtilityOGL_[1MB]_[1].exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\x86\NvStereoUtilityOGL_[1MB]_[1].exe

Processes

C:\Users\Admin\AppData\Local\Temp\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:16

Platform

win11-20240611-en

Max time kernel

1492s

Max time network

1510s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:13

Platform

win11-20240611-en

Max time kernel

1485s

Max time network

1503s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3412 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 452

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:15

Platform

win11-20240611-en

Max time kernel

1484s

Max time network

1509s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:16

Platform

win11-20240508-en

Max time kernel

1727s

Max time network

1736s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-16 16:19

Reported

2024-06-16 17:18

Platform

win11-20240419-en

Max time kernel

1743s

Max time network

1753s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A