Malware Analysis Report

2024-12-07 03:10

Sample ID 241113-scl1zatfqc
Target iltst.zip
SHA256 1d6f7584e8fc83a87851e579dc867c32792bcd329b7280bb100d9e0cba730b04
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1d6f7584e8fc83a87851e579dc867c32792bcd329b7280bb100d9e0cba730b04

Threat Level: Shows suspicious behavior

The file iltst.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 14:58

Reported

2024-11-13 15:01

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PickingNhs C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
File opened for modification C:\Windows\BarriersB C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
File opened for modification C:\Windows\PrefixRough C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5008 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5008 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 5008 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 5008 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 5008 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5008 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5008 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe

"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Zus Zus.cmd & Zus.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 677738

C:\Windows\SysWOW64\findstr.exe

findstr /V "PhiladelphiaFacultyInsulinDifferent" Prisoner

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Merchants + ..\Mcdonald + ..\Album + ..\Candidates + ..\Extreme + ..\Dept + ..\Edmonton s

C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif

Farming.pif s

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 vnEnEAsZbRjillROWxtxgv.vnEnEAsZbRjillROWxtxgv udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 snail-r1ced.cyou udp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 8.8.8.8:53 231.199.67.172.in-addr.arpa udp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 172.67.199.231:443 snail-r1ced.cyou tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Zus

MD5 f57b4f35dea7f939528515d2877743b7
SHA1 8c65e425e7912f1fb2b55acd189309fbb1700d4c
SHA256 4432a67e3d73c28725306dae8933cb9570073cd1c4e1a1a0b2d364d7d3878809
SHA512 be15b696b7d15c4ccba783370292796370bff58cfd052482e0a8a0c464c04559649b546121e7b72dab6b7793c7df78aba0335cbd067ff0905f0883ddb775d224

C:\Users\Admin\AppData\Local\Temp\Prisoner

MD5 fa2ad2c0091ba19cbc9339c9e21b76dc
SHA1 dada141a7fe31c487832ae5cae59384df46d3c48
SHA256 832347756573f0b1f143d2181716493df078dc19757760fb978f27bbd32db8bd
SHA512 c9bd863138586fc982536fb69bb48ec20d8d68360a31d6985536b073b58f0f7a41449658c6f60491eda6ca51e3cf30e78fb07ad4f1379628d16a18e00be7e7f9

C:\Users\Admin\AppData\Local\Temp\Compatible

MD5 d6e7ad57b5f8619d610a5a569ee51ba9
SHA1 8c0d6c27e640fcee095fc6d3495343523eb57689
SHA256 e3a992895fb7f239e0641561e40f62b5b42c1f602164f2a1a648b4a747888cb4
SHA512 8c392443223ad0b81ce56c749307570081567ec502dc800a6d73e23bb81ced08c8d93a660e6949d3aa20bfbcdad554a47f96b50d0a479bcae57cef1f9f841fd3

C:\Users\Admin\AppData\Local\Temp\Merchants

MD5 c718448fc0186eaef23c22ecd4538a0f
SHA1 69eda4415d2c78737821cadf0531f6976a700b08
SHA256 8bfd4958ab0465144dc5fae27684ef902389673f812acfbeaf55b114280020af
SHA512 149d9d90ce4c9b1bfa59d4ce746a710c0b9bac9930eb68224cd6db4522cb2a34ca7fc0ee6c1962624753b11450b9a3b65677d48521b07b50c1bd2576a2cc6bad

C:\Users\Admin\AppData\Local\Temp\Mcdonald

MD5 8b953b374762bf4bd86ad80f5f2ff8d2
SHA1 70952f8c55e815f27ad74ac1c496c6a4c3f5adf1
SHA256 232a81b7dc107ed79792d55ef9dfff6e522f429c8c2722e96b1f3444d8070634
SHA512 2850db6252fa0e348938aea2f0c3a055bfef936a21b5327605be87e4c17a58ef82ce58577ec2d1978c6744ffee76fe42412eb7854c69806f87d878c7cb25aea0

C:\Users\Admin\AppData\Local\Temp\Album

MD5 142a4ccb79b82a8744e9e569ed904a2c
SHA1 e16b56a6e4d4bb01ce7a1cf2eecf30ae8f8ffb4d
SHA256 8654680a492b898cfa35889bc69f7acf77a817e404f3f05f58ffb73e686b6d23
SHA512 e148da9a7e01915d54052203601fe248e022956ef5763a931590b66797cb573f5a07f2c12dbe9aa4f2099b11f806c0d2b43b5c073d333dcb36a63c4fc1070496

C:\Users\Admin\AppData\Local\Temp\Candidates

MD5 2a3e1a04c3a5a22f5178f6d4bbf13e4b
SHA1 b5ec0c3088fb6af22e65fb4901b44700cc634ba1
SHA256 2b07021e5210404f0d4e3c4e74d95d9154a1bd4c67ad4299043528ca0cb9bc87
SHA512 d369d23861568d1eb6d39874c5dd059586d476a9b98d1c72671f879ae68ec3e75f1c5f98a9126a1427f446dfac17026c24cb4bc424f02f1dec3f48aba2936611

C:\Users\Admin\AppData\Local\Temp\Extreme

MD5 06e3e5a58599f58ef3b8ea97b950149a
SHA1 98478466ae7ae33cbd0e10a3a0f8607c6e0268fb
SHA256 ab684d18f31a2e8893ca337d30ecd697c7c7324e734faf4d1032d49b176e87b0
SHA512 cb99f29e9442af230e6b5060e2a141177ac949dcd915186bcc24d464d296684dba707b13d15eaa4764bf54818aa57907e06da19abae218de8de5463f8c271d01

C:\Users\Admin\AppData\Local\Temp\Dept

MD5 15f9705c945e9540cc821f3ef941d379
SHA1 6dd641acccc9d8cd6c9790f60ed4b8525ae48dc7
SHA256 832d4fb39077bee580a3c90456f803dcff5627169d87c6a9a0c0b3866e560c13
SHA512 80f0d21697997443a5037c2eb90d36cc5820d07649b6b451443bce0019d6f40eb4df685da53577e9d348397f6d2abfd61fa6b3784c0d9f7dc156c37bc2890c6d

C:\Users\Admin\AppData\Local\Temp\Edmonton

MD5 5d7c20805d320d47ab6ae65794214948
SHA1 639809c3442d96a5a20edc8eabd1a6cac2777dbd
SHA256 f896f837e3da1a5f3412789d252adfe0b178e3413d2662a0803de662be967194
SHA512 8e4dd5baafef95a07f0f4a24e948693e47a9edbac5b51e9f9c2d3c42c4ccea9a0604c682840d3b034cbc34cc1cc8ca803f4c74c40e39a1eb3492096fe25b6193

C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\677738\s

MD5 dcead7456af51437d621d9e036dc0bfa
SHA1 3f4bd88fca78b54e7affe7c867a14395e0eb1f45
SHA256 32ee510f9a33e6eba1dbac1e65297bbd8473347de7a77073c72e6e60767fad6d
SHA512 9166d37d921410310e6c4ca9ee673ed449d901dd88d2036936f171cfe86e764b022d6832e029912b2be1b3157d16361b2e2a972ee27135f76d66d43144cc71d9

memory/2016-425-0x0000000003F70000-0x0000000003FC9000-memory.dmp

memory/2016-426-0x0000000003F70000-0x0000000003FC9000-memory.dmp

memory/2016-427-0x0000000003F70000-0x0000000003FC9000-memory.dmp

memory/2016-429-0x0000000003F70000-0x0000000003FC9000-memory.dmp

memory/2016-428-0x0000000003F70000-0x0000000003FC9000-memory.dmp

memory/2016-430-0x0000000003F70000-0x0000000003FC9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:58

Reported

2024-11-13 15:01

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\BarriersB C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
File opened for modification C:\Windows\PrefixRough C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
File opened for modification C:\Windows\PickingNhs C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 780 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 780 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 780 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 780 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif
PID 780 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 780 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 780 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 780 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe

"C:\Users\Admin\AppData\Local\Temp\TrustsFloors.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Zus Zus.cmd & Zus.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 677738

C:\Windows\SysWOW64\findstr.exe

findstr /V "PhiladelphiaFacultyInsulinDifferent" Prisoner

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Merchants + ..\Mcdonald + ..\Album + ..\Candidates + ..\Extreme + ..\Dept + ..\Edmonton s

C:\Users\Admin\AppData\Local\Temp\677738\Farming.pif

Farming.pif s

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 vnEnEAsZbRjillROWxtxgv.vnEnEAsZbRjillROWxtxgv udp
US 8.8.8.8:53 snail-r1ced.cyou udp
US 104.21.84.251:443 snail-r1ced.cyou tcp
US 104.21.84.251:443 snail-r1ced.cyou tcp
US 104.21.84.251:443 snail-r1ced.cyou tcp
US 104.21.84.251:443 snail-r1ced.cyou tcp
US 104.21.84.251:443 snail-r1ced.cyou tcp

Files

C:\Users\Admin\AppData\Local\Temp\Zus

MD5 f57b4f35dea7f939528515d2877743b7
SHA1 8c65e425e7912f1fb2b55acd189309fbb1700d4c
SHA256 4432a67e3d73c28725306dae8933cb9570073cd1c4e1a1a0b2d364d7d3878809
SHA512 be15b696b7d15c4ccba783370292796370bff58cfd052482e0a8a0c464c04559649b546121e7b72dab6b7793c7df78aba0335cbd067ff0905f0883ddb775d224

C:\Users\Admin\AppData\Local\Temp\Prisoner

MD5 fa2ad2c0091ba19cbc9339c9e21b76dc
SHA1 dada141a7fe31c487832ae5cae59384df46d3c48
SHA256 832347756573f0b1f143d2181716493df078dc19757760fb978f27bbd32db8bd
SHA512 c9bd863138586fc982536fb69bb48ec20d8d68360a31d6985536b073b58f0f7a41449658c6f60491eda6ca51e3cf30e78fb07ad4f1379628d16a18e00be7e7f9

C:\Users\Admin\AppData\Local\Temp\Compatible

MD5 d6e7ad57b5f8619d610a5a569ee51ba9
SHA1 8c0d6c27e640fcee095fc6d3495343523eb57689
SHA256 e3a992895fb7f239e0641561e40f62b5b42c1f602164f2a1a648b4a747888cb4
SHA512 8c392443223ad0b81ce56c749307570081567ec502dc800a6d73e23bb81ced08c8d93a660e6949d3aa20bfbcdad554a47f96b50d0a479bcae57cef1f9f841fd3

C:\Users\Admin\AppData\Local\Temp\Merchants

MD5 c718448fc0186eaef23c22ecd4538a0f
SHA1 69eda4415d2c78737821cadf0531f6976a700b08
SHA256 8bfd4958ab0465144dc5fae27684ef902389673f812acfbeaf55b114280020af
SHA512 149d9d90ce4c9b1bfa59d4ce746a710c0b9bac9930eb68224cd6db4522cb2a34ca7fc0ee6c1962624753b11450b9a3b65677d48521b07b50c1bd2576a2cc6bad

C:\Users\Admin\AppData\Local\Temp\Mcdonald

MD5 8b953b374762bf4bd86ad80f5f2ff8d2
SHA1 70952f8c55e815f27ad74ac1c496c6a4c3f5adf1
SHA256 232a81b7dc107ed79792d55ef9dfff6e522f429c8c2722e96b1f3444d8070634
SHA512 2850db6252fa0e348938aea2f0c3a055bfef936a21b5327605be87e4c17a58ef82ce58577ec2d1978c6744ffee76fe42412eb7854c69806f87d878c7cb25aea0

C:\Users\Admin\AppData\Local\Temp\Album

MD5 142a4ccb79b82a8744e9e569ed904a2c
SHA1 e16b56a6e4d4bb01ce7a1cf2eecf30ae8f8ffb4d
SHA256 8654680a492b898cfa35889bc69f7acf77a817e404f3f05f58ffb73e686b6d23
SHA512 e148da9a7e01915d54052203601fe248e022956ef5763a931590b66797cb573f5a07f2c12dbe9aa4f2099b11f806c0d2b43b5c073d333dcb36a63c4fc1070496

C:\Users\Admin\AppData\Local\Temp\Candidates

MD5 2a3e1a04c3a5a22f5178f6d4bbf13e4b
SHA1 b5ec0c3088fb6af22e65fb4901b44700cc634ba1
SHA256 2b07021e5210404f0d4e3c4e74d95d9154a1bd4c67ad4299043528ca0cb9bc87
SHA512 d369d23861568d1eb6d39874c5dd059586d476a9b98d1c72671f879ae68ec3e75f1c5f98a9126a1427f446dfac17026c24cb4bc424f02f1dec3f48aba2936611

C:\Users\Admin\AppData\Local\Temp\Extreme

MD5 06e3e5a58599f58ef3b8ea97b950149a
SHA1 98478466ae7ae33cbd0e10a3a0f8607c6e0268fb
SHA256 ab684d18f31a2e8893ca337d30ecd697c7c7324e734faf4d1032d49b176e87b0
SHA512 cb99f29e9442af230e6b5060e2a141177ac949dcd915186bcc24d464d296684dba707b13d15eaa4764bf54818aa57907e06da19abae218de8de5463f8c271d01

C:\Users\Admin\AppData\Local\Temp\Dept

MD5 15f9705c945e9540cc821f3ef941d379
SHA1 6dd641acccc9d8cd6c9790f60ed4b8525ae48dc7
SHA256 832d4fb39077bee580a3c90456f803dcff5627169d87c6a9a0c0b3866e560c13
SHA512 80f0d21697997443a5037c2eb90d36cc5820d07649b6b451443bce0019d6f40eb4df685da53577e9d348397f6d2abfd61fa6b3784c0d9f7dc156c37bc2890c6d

C:\Users\Admin\AppData\Local\Temp\Edmonton

MD5 5d7c20805d320d47ab6ae65794214948
SHA1 639809c3442d96a5a20edc8eabd1a6cac2777dbd
SHA256 f896f837e3da1a5f3412789d252adfe0b178e3413d2662a0803de662be967194
SHA512 8e4dd5baafef95a07f0f4a24e948693e47a9edbac5b51e9f9c2d3c42c4ccea9a0604c682840d3b034cbc34cc1cc8ca803f4c74c40e39a1eb3492096fe25b6193

\Users\Admin\AppData\Local\Temp\677738\Farming.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\677738\s

MD5 dcead7456af51437d621d9e036dc0bfa
SHA1 3f4bd88fca78b54e7affe7c867a14395e0eb1f45
SHA256 32ee510f9a33e6eba1dbac1e65297bbd8473347de7a77073c72e6e60767fad6d
SHA512 9166d37d921410310e6c4ca9ee673ed449d901dd88d2036936f171cfe86e764b022d6832e029912b2be1b3157d16361b2e2a972ee27135f76d66d43144cc71d9

memory/2976-427-0x0000000003640000-0x0000000003699000-memory.dmp

memory/2976-428-0x0000000003640000-0x0000000003699000-memory.dmp

memory/2976-429-0x0000000003640000-0x0000000003699000-memory.dmp

memory/2976-431-0x0000000003640000-0x0000000003699000-memory.dmp

memory/2976-432-0x0000000003640000-0x0000000003699000-memory.dmp

memory/2976-430-0x0000000003640000-0x0000000003699000-memory.dmp