Malware Analysis Report

2024-08-06 12:11

Sample ID 240617-w8fevatcrq
Target b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe
SHA256 b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c
Tags
asyncrat njrat 05kan24 discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c

Threat Level: Known bad

The file b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat njrat 05kan24 discovery evasion persistence rat trojan

AsyncRat

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:37

Platform

win7-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

Signatures

AsyncRat

rat asyncrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2476 set thread context of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2632 set thread context of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3024 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3024 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3024 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2476 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 3024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 3024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 3024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3024 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 3024 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 3024 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 3024 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 376 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3024 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 2980 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2980 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2980 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 2980 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc.\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 192.227.228.34:8848 4Mekey.myftp.biz tcp
US 192.227.228.34:1124 4Mekey.myftp.biz tcp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/2868-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2868-40-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2868-42-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

memory/2980-51-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2980-52-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2980-53-0x0000000000400000-0x0000000000410000-memory.dmp

\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

C:\Users\Admin\AppData\Local\Temp\Cab9494.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

memory/3024-91-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f604fc4c8a230c62df52cb971cf53f26
SHA1 2ccb5983c68d36a3a08670f0dc2ac338557bce3a
SHA256 d4802327aff4e6cdd42bd874f949e8512996c7c4376709b1529b92786748daa6
SHA512 fad1ab0ee4ab8c537000870063264aba534d58bb456fcb9699e0e9003084abee31c733619510cda64d09823410da26c7312f6716765a0d9b4d49d460de6f4dd7

C:\Users\Admin\AppData\Local\Temp\TarA786.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/3024-164-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 18:35

Reported

2024-06-17 18:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

Signatures

AsyncRat

rat asyncrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Id990.exe N/A
N/A N/A C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IwUp238 = "\"C:\\Users\\Admin\\IwUp238.exe\"" C:\Users\Admin\AppData\Roaming\IwUp238.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ijr314 = "\"C:\\Users\\Admin\\Ijr314.exe\"" C:\Users\Admin\AppData\Local\Temp\Ijr314.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Id990 = "\"C:\\Users\\Admin\\Id990.exe\"" C:\Users\Admin\AppData\Roaming\Id990.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3172 set thread context of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 1412 set thread context of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A
File created C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3328 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\IwUp238.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3172 wrote to memory of 688 N/A C:\Users\Admin\AppData\Roaming\IwUp238.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 3328 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 3328 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Local\Temp\Ijr314.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Ijr314.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3328 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 3328 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Users\Admin\AppData\Roaming\Id990.exe
PID 2188 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2188 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2188 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2188 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Id990.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3328 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3328 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 3328 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
PID 5116 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 5116 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe
PID 5116 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe

"C:\Users\Admin\AppData\Local\Temp\b030a9aaa27be2c9db6c0f15e95626025f51430466b13a196908b1ec4172160c.exe"

C:\Users\Admin\AppData\Roaming\IwUp238.exe

"C:\Users\Admin\AppData\Roaming\IwUp238.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

"C:\Users\Admin\AppData\Local\Temp\Ijr314.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Roaming\Id990.exe

"C:\Users\Admin\AppData\Roaming\Id990.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

"C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp
US 8.8.8.8:53 4Mekey.myftp.biz udp
US 8.8.8.8:53 4mekey.myftp.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 be6e111b039a5eddab2c5c88c5f3d200
SHA1 3e495ef72dc30d6dc7319be0ec1e64d71a632e4a
SHA256 d9d9dfddd64dd6d88ded3afb179a070f01eb90c340c69533c70ba06586ff8375
SHA512 f0f0f59e70262bbd9f5cbd8cbf2b27c7366612a2cded275a3ac71e9119ef65f2803ff35f7f3aa71a2b906d0bde9e3e464b2f65028162eedbea8eded6e25dcb79

C:\Users\Admin\AppData\Roaming\IwUp238.exe

MD5 1664a1b751a6665b8ad9c0b4348e4b19
SHA1 b51a9e38e90e5b8ae789c86e5b56ba97afc850fd
SHA256 86233f6c47eb5b7234e1003d5c3df42277bda1155512ae7f47dde2bb69964372
SHA512 ad7b2f29d9ba94815bf25a56351537de0e407dbb1073cc2cc4e129bb7c41091c099822c3dd7fe0916e6e9f57fb56169dbd783504b2692f4e1bc3670e28134294

memory/688-41-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ijr314.exe

MD5 c0198a9b2eab8625477a1885ef9e0e98
SHA1 d356f1284ff024f11efcc6d0cd46f506cf2cbc0c
SHA256 6b7776dc092f393043225c45df6cdd99c9608f42b532e200d14d66a3c3cef673
SHA512 b9e15810cd749f1593300eb8ae647ffddefb1c3020cec09d6a7c02e3277d01911394571716c134a35da29694bfc3f030e7fa1ddb272e702fcd4503b42deeda09

memory/688-51-0x000000007296E000-0x000000007296F000-memory.dmp

memory/5116-54-0x0000000000400000-0x0000000000410000-memory.dmp

memory/5116-57-0x0000000005320000-0x00000000053BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Id990.exe

MD5 3ddcc9725522f1921b2885a6f307686e
SHA1 ab8845101a15fc6c2ef7be6b881b3e372ccb300d
SHA256 4b19319cd0497380b07d3f471a9cac9d181bfddf665a1ee35715d520fb0ea30e
SHA512 8409cd6f521d39a832c7d427e3af807eedda52de30a2f0be6c3a655be8808e4b461921f234739f7753c0a7d8cc30e4ed8b55b6a136435dbd01367823af777d2a

memory/5116-64-0x0000000005970000-0x0000000005F14000-memory.dmp

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

MD5 de70f0deed893bba56ccb78eafd59606
SHA1 f351b0c2996a3573d36deab9b6b3961876189f71
SHA256 b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d
SHA512 86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

memory/5116-81-0x0000000005580000-0x0000000005612000-memory.dmp

memory/5116-82-0x00000000054F0000-0x00000000054FA000-memory.dmp

memory/3328-83-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3328-85-0x0000000000400000-0x0000000000448000-memory.dmp

memory/688-86-0x000000007296E000-0x000000007296F000-memory.dmp