Malware Analysis Report

2024-12-07 03:20

Sample ID 241113-cggdaatmht
Target 03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca.zip
SHA256 03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca
Tags
remcos new discovery rat agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca

Threat Level: Known bad

The file 03e7cb9e6bdcc56672d4f02c05669f5b8c64d3b90dc8a25bb3fb4e3de38f2aca.zip was found to be: Known bad.

Malicious Activity Summary

remcos new discovery rat agilenet

Remcos

Remcos family

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:02

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuToolTip.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuToolTip.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuToolTip.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuToolTip.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu_UI_v1.5.3.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Microsoft.Win32.TaskScheduler.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libgmp-10.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 816 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 816 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libgmp-10.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 816 -s 80

Network

N/A

Files

memory/816-0-0x000000006ACC0000-0x000000006AD99000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuFormDock.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuFormDock.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 2148 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 4648 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 4648 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2440 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2440 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2440 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2440 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 4792 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 4792 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 4792 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2148 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2148 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2148 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2148 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe"

C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe

"C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/4648-0-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/2440-3-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/4648-4-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe

MD5 8544704f507c57bd2fe9e2551e3abef8
SHA1 36acefb78fc9c67adc9bbc6b6a660f39d8ea2976
SHA256 c144a4451ea558af360534ddab0cd9535c7fd897da8af71e69927936fe9b57fb
SHA512 1ea63e3f45497a4dce690d572f35844e1bd64eb617ae12c4454a1a985af7de139e412e0a65dfe4760dfbe2d2f24d62913b666210fc9e8c7f5e0375d9dc5a0084

C:\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

memory/2156-22-0x00007FFB406C3000-0x00007FFB406C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/2156-27-0x000002DBC98D0000-0x000002DBC99C2000-memory.dmp

memory/2156-28-0x000002DBCB5C0000-0x000002DBCB634000-memory.dmp

memory/2440-30-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/4792-33-0x0000000074940000-0x0000000074ABB000-memory.dmp

memory/4792-34-0x00007FFB5F290000-0x00007FFB5F485000-memory.dmp

memory/2848-46-0x0000000074740000-0x00000000748BB000-memory.dmp

memory/2848-47-0x00007FFB5F290000-0x00007FFB5F485000-memory.dmp

memory/2848-48-0x0000000074740000-0x00000000748BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20617039

MD5 f3350adc25d3de348393ba5c85a148f5
SHA1 3ebf08845e3a0a4144b2e9d807f7dd52deb312c7
SHA256 487cdc861d6143a5165efb4cf1a4d69d34f5860dd5af29a924fb20894f6e7c37
SHA512 58d7ccff10aefc89e3f72de92e00b77f97167a3175b7fa9c4b81d8bb41507c4258915b6db4503929ff208085f62230b4f17d6de2f34d3543a1eaad551bc3d9b3

memory/2148-51-0x00007FFB5F290000-0x00007FFB5F485000-memory.dmp

memory/2148-53-0x0000000074740000-0x00000000748BB000-memory.dmp

memory/3676-55-0x00007FFB5F290000-0x00007FFB5F485000-memory.dmp

memory/3676-56-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-58-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-59-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-60-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-61-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-62-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-63-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-64-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-65-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-66-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3676-67-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libhwloc-15.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libhwloc-15.dll,#1

Network

N/A

Files

memory/2400-0-0x000000006EC40000-0x000000006EDD6000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuFormDock.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuFormDock.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.ToggleSwitch.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.ToggleSwitch.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu_UI_v1.5.3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu_UI_v1.5.3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20241010-en

Max time kernel

74s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.ToggleSwitch.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.ToggleSwitch.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libhwloc-15.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libhwloc-15.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/220-0-0x000000006EC40000-0x000000006EDD6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuButton.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuButton.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuDropdown.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuDropdown.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuDropdown.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuDropdown.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuPages.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuPages.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuPages.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuPages.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuTextbox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuTextbox.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Microsoft.Win32.TaskScheduler.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libgmp-10.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\libgmp-10.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4436-0-0x000000006ACC0000-0x000000006AD99000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuButton.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuButton.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuTextbox.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\Bunifu.UI.WinForms.BunifuTextbox.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 02:02

Reported

2024-11-13 02:05

Platform

win7-20241023-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2104 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe
PID 2284 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2284 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2284 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2284 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe
PID 2284 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2284 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2284 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2284 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2468 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2468 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2468 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2468 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2728 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe C:\Windows\system32\WerFault.exe
PID 2728 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe C:\Windows\system32\WerFault.exe
PID 2728 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe C:\Windows\system32\WerFault.exe
PID 2848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2736 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe"

C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe

"C:\Users\Admin\AppData\Local\Temp\clocktuner-ryzen-2-1\CTR 2.1.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe

"C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2728 -s 532

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/2104-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2104-3-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\CTR 2.1\CTR 2.1.exe

MD5 8544704f507c57bd2fe9e2551e3abef8
SHA1 36acefb78fc9c67adc9bbc6b6a660f39d8ea2976
SHA256 c144a4451ea558af360534ddab0cd9535c7fd897da8af71e69927936fe9b57fb
SHA512 1ea63e3f45497a4dce690d572f35844e1bd64eb617ae12c4454a1a985af7de139e412e0a65dfe4760dfbe2d2f24d62913b666210fc9e8c7f5e0375d9dc5a0084

\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/2284-25-0x0000000000400000-0x000000000070A000-memory.dmp

memory/2728-29-0x0000000000910000-0x0000000000A02000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

memory/2728-31-0x000000001AD10000-0x000000001AD84000-memory.dmp

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/2468-33-0x0000000074460000-0x00000000745D4000-memory.dmp

memory/2468-34-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2848-53-0x0000000074340000-0x00000000744B4000-memory.dmp

memory/2848-54-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2848-55-0x0000000074340000-0x00000000744B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b617bd5

MD5 f44ab49887aee083e66a3c24eb5391e4
SHA1 8a6174edb8304f4b63d267725bbf06392c3b2fd8
SHA256 e104929c7e2773292308c94d5f83c95f5ea06da00d7320d1b4955ea5849b2b5f
SHA512 033e0ef876d8464a7fa678bb8752d13afc2c846d790704ea6a3a31e819c4d3c9ef12774facbc4455109cd4609947287b2f3051e6cc8d367e55a34d7137cd4d74

memory/2736-58-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2736-104-0x0000000074340000-0x00000000744B4000-memory.dmp

memory/1752-106-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/1752-107-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-110-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-111-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-112-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-113-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-114-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-115-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-116-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-117-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-118-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-119-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1752-120-0x0000000000400000-0x0000000000484000-memory.dmp