Malware Analysis Report

2024-08-06 12:11

Sample ID 240617-bplgja1hnp
Target b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe
SHA256 b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c
Tags
asyncrat njrat quasar 05kan24 discovery evasion persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c

Threat Level: Known bad

The file b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat njrat quasar 05kan24 discovery evasion persistence rat spyware trojan

njRAT/Bladabindi

AsyncRat

Quasar payload

Quasar RAT

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing the string DcRatBy

Detects executables attemping to enumerate video devices using WMI

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing common artifacts observed in infostealers

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:19

Reported

2024-06-17 01:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4528 set thread context of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4896 set thread context of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2844 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1016 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1016 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4528 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1016 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1016 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4896 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1016 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1016 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1016 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1816 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 1816 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2432 wrote to memory of 412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 412 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 412 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 412 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 412 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 412 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 412 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 412 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 412 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vxTZf8OtFpd7.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/4440-41-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

memory/4440-51-0x0000000072F0E000-0x0000000072F0F000-memory.dmp

memory/1816-54-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

memory/1816-58-0x00000000057C0000-0x000000000585C000-memory.dmp

memory/1816-63-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/2432-68-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

memory/2432-76-0x00000000054D0000-0x0000000005562000-memory.dmp

memory/2432-82-0x0000000005470000-0x000000000547A000-memory.dmp

memory/2432-84-0x0000000006540000-0x0000000006B58000-memory.dmp

memory/2432-85-0x0000000006020000-0x0000000006070000-memory.dmp

memory/2432-86-0x0000000006290000-0x0000000006342000-memory.dmp

memory/1016-87-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vxTZf8OtFpd7.bat

MD5 768c71e704b3cbba329aa59742f8f0ff
SHA1 f2dc9d5dd71d61dd4f55f250304cba011fa73489
SHA256 f85338605ac8aa2d189b61f64b990e7472bd7fcecd49040f710ef098e4efaad5
SHA512 de8d05b8888b8c0c8709e851c6d33e7ff6f50da06a1be80c1db0b9a4204f2584930e71fa6ef67edf2cdedb21129a83e45edea0e86897c22d4ac8dcd1e811c88f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

MD5 38b07cd5da5c740e9629fd801dc26e5a
SHA1 42816159ab9367165cf58603b09b134d488c1690
SHA256 20049cc7ade63a31f442dfd2b99740f0512fdcc764266b8b105292e30d2b7483
SHA512 1769ffefe181531476e10311295f38d11b85b5ec3710000b5cb081675e5f233792f96bb4178b75fd0e2cfc86965e7368173d22799a1e9fa3317ddd49047fab5a

memory/1948-95-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/1948-96-0x00000000025C0000-0x00000000025DA000-memory.dmp

memory/4440-97-0x0000000072F0E000-0x0000000072F0F000-memory.dmp

memory/1016-100-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:19

Reported

2024-06-17 01:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing the string DcRatBy

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2492 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2892 set thread context of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 1264 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1264 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1264 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1264 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1264 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 1264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 1264 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 2500 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2500 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2500 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2500 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc.\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 192.227.228.34:8848 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:1124 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 4Mekey.myftp.biz tcp
US 192.227.228.34:4782 tcp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/2464-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2464-40-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2464-42-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

memory/2500-51-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2500-52-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2500-53-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

memory/1980-79-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1980-81-0x0000000000400000-0x0000000000724000-memory.dmp

memory/1980-80-0x0000000000400000-0x0000000000724000-memory.dmp

\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffebc4bb66cc4ff22ef09065ee67106b
SHA1 917cfc5c7bce573799d4cb7ecdb704c03b041cd5
SHA256 5d450e522be9aa752531ddd2801b79e97715f88b08d2349e12c01700e42c2a4b
SHA512 3ca5c3d1b4c6e7cc7d2d8479c8e7cbbe2a1bfb655c8286388f763d3b807d773d38186e67d4b4eb8d6bd12d81c8050ec1e5fa5bf3c0ee1d44618b88cf7f788c03

C:\Users\Admin\AppData\Local\Temp\Tar397B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1264-178-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1264-180-0x0000000000400000-0x0000000000448000-memory.dmp