Malware Analysis Report

2025-01-02 06:55

Sample ID 241129-sjpqfawphk
Target 378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648
SHA256 378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648
Tags
discovery asyncrat venomrat default execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648

Threat Level: Known bad

The file 378d97a39ef4c82dbe95adc05f6b5edee49df9c39decea580ecf1faba96c4648 was found to be: Known bad.

Malicious Activity Summary

discovery asyncrat venomrat default execution rat

Asyncrat family

Venomrat family

AsyncRat

VenomRAT

Async RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 15:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 15:09

Reported

2024-11-29 15:12

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

Signatures

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\lPix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\lPix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2932 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp
PID 2152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2896 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2896 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2896 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2704 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp
PID 2940 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2752 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2868 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 2560 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp" /SL5="$4010A,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\timeout.exe

timeout /T 3

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-R3HCC.tmp\资料_install (1).tmp" /SL5="$601F8,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls

C:\Users\Public\Documents\lPix.exe

C:\Users\Public\Documents\lPix.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp" /SL5="$401F4,544961,235520,C:\Users\Public\Documents\lPix.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\timeout.exe

timeout /T 3

C:\Users\Public\Documents\lPix.exe

"C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CRRP9.tmp\lPix.tmp" /SL5="$501EA,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

C:\Windows\system32\regsvr32.exe

/s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

Network

N/A

Files

memory/2932-0-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2932-2-0x0000000000401000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TCV3V.tmp\资料_install (1).tmp

MD5 cf45d17c6928f460e9c66d8efd61d15f
SHA1 04f45e51c5ee587ac54084e051837cc4688f3fea
SHA256 a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b
SHA512 178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596

memory/2152-8-0x0000000000400000-0x000000000053F000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-G7DHN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2704-15-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2704-39-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2152-41-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2932-43-0x0000000000400000-0x0000000000444000-memory.dmp

\Users\Public\Documents\lPix.exe

MD5 8cb4b8edf79a9edaf533920c9a4d2757
SHA1 8d5b6701db176148d9bbe8cc97338798c518201c
SHA256 c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2
SHA512 82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0

memory/2940-38-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2560-54-0x0000000000400000-0x0000000000444000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-K5TO9.tmp\lPix.tmp

MD5 bef5bad133138ce27f0c6e73d5a2e5f9
SHA1 1cfc9e170e100fc23073cdfcf590594e18598314
SHA256 55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65
SHA512 f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

memory/2200-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Public\Documents\LDcA.xls

MD5 d1ff725260128c439f9bce6f7a26f5ec
SHA1 a22f5c06fd34b59daa1475789f659e324368a76f
SHA256 dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d
SHA512 41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c

memory/1664-83-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\unins000.exe

MD5 7d32e1d324403f5baf3443502f6732b9
SHA1 583a56865861c01413abda1daa132b577920504c
SHA256 4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313
SHA512 8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b

C:\Users\Admin\AppData\Local\unins000.dat

MD5 10e5e58b0f68862da3980e123de613bc
SHA1 a44c201768dfb80765ebea4b560b9340c215a2bc
SHA256 16dcede65eaa9afbfdc0920fbd748d2871133b36ed6aa17865c8167d3d89a293
SHA512 257f53b15d42f17371b5b227e5705bd583dd0e3857d1aded95e95fa6a32250fc3782cc1c8636521bcfcc6fccfa0605f030d5109a8df2d9c9849330c357261b34

C:\Users\Admin\AppData\Local\unins000.exe

MD5 957a6b79d0a55eb26e806e520a56027c
SHA1 4de71cf351276a32f03900ded66a1d0217ab10b1
SHA256 55d7374f4731aaa60d7930ecf5348b08f48f3cbb372a1805609d41ff21e89297
SHA512 d5e295c47e93e18f272f99b2960f2b476ef261a2a7c65635a2c4d74798d4f0409a970ad0039b6258f9addf9d39b2b7e8b5ecb129ca4e2bd123402ad2ddb5cc34

memory/1664-110-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1076-109-0x0000000000400000-0x000000000053F000-memory.dmp

memory/1964-111-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2560-113-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

MD5 385e36fd28d88b4fe7051de59bcd616c
SHA1 0c6bac3bda42f8dedfba7559d092da5baaac81b4
SHA256 f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0
SHA512 5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 15:09

Reported

2024-11-29 15:12

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A

Venomrat family

venomrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\lPix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Documents\lPix.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp
PID 1652 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp
PID 1652 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp
PID 5044 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1840 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1840 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1840 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 1840 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 1840 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe
PID 3296 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp
PID 3296 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp
PID 3296 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp
PID 1576 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 396 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 396 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 680 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 680 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 680 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2184 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp
PID 2184 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp
PID 2184 wrote to memory of 1964 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp
PID 1964 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3560 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3560 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 3560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 3560 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Documents\lPix.exe
PID 2820 wrote to memory of 3972 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp
PID 2820 wrote to memory of 3972 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp
PID 2820 wrote to memory of 3972 N/A C:\Users\Public\Documents\lPix.exe C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp
PID 3972 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3972 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3972 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3516 wrote to memory of 4372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3516 wrote to memory of 4372 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4372 wrote to memory of 2312 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2312 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 900 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4372 wrote to memory of 900 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp" /SL5="$602B6,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\timeout.exe

timeout /T 3

C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe

"C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-UAEOB.tmp\资料_install (1).tmp" /SL5="$40112,1145727,235520,C:\Users\Admin\AppData\Local\Temp\资料_install (1).exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\lPix.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\LDcA.xls

C:\Users\Public\Documents\lPix.exe

C:\Users\Public\Documents\lPix.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\Documents\LDcA.xls"

C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp" /SL5="$802B6,544961,235520,C:\Users\Public\Documents\lPix.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C timeout /T 3 & "C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\timeout.exe

timeout /T 3

C:\Users\Public\Documents\lPix.exe

"C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G9GVM.tmp\lPix.tmp" /SL5="$401FE,544961,235520,C:\Users\Public\Documents\lPix.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

C:\Windows\system32\regsvr32.exe

/s /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll' }) { exit 0 } else { exit 1 }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{EFF11FCA-251C-49D8-9A47-AB5692BD08FD}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"

C:\Windows\system32\regsvr32.exe

"regsvr32" /i:INSTALL /s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

C:\Windows\system32\regsvr32.EXE

C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

C:\Windows\system32\regsvr32.EXE

C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
HK 27.124.46.187:7415 tcp
US 8.8.8.8:53 187.46.124.27.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1652-2-0x0000000000401000-0x0000000000417000-memory.dmp

memory/1652-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HL81A.tmp\资料_install (1).tmp

MD5 cf45d17c6928f460e9c66d8efd61d15f
SHA1 04f45e51c5ee587ac54084e051837cc4688f3fea
SHA256 a87c544e201116ebe9e5aa748f1a4d91d4aadb18d7a2c24c27a9cf5c881b400b
SHA512 178d1f8df6f98246fa579d49af62a526a7b3ba34532ed0e160b82148bb5869192408562c2a7b4d5602cf7b907acea1f2b716c77b8eff912a930619f6cf70a596

memory/5044-7-0x0000000000400000-0x000000000053F000-memory.dmp

memory/3296-14-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3296-12-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BQ5QU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1576-32-0x0000000000400000-0x000000000053F000-memory.dmp

memory/3296-34-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5044-37-0x0000000000400000-0x000000000053F000-memory.dmp

C:\Users\Public\Documents\lPix.exe

MD5 8cb4b8edf79a9edaf533920c9a4d2757
SHA1 8d5b6701db176148d9bbe8cc97338798c518201c
SHA256 c09f6cc092879d5b34f8668114453cdace4d3a6f303214baeca9a32d62bde1c2
SHA512 82478f5c7592a2555f67608d9564d7b31bdde10443ea6a480d991712c6e2eaafefbb2401746f862960deb8796cf31aff0f3410caeb05fa933d8ecb402581d2e0

memory/2184-42-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1652-41-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Public\Documents\LDcA.xls

MD5 d1ff725260128c439f9bce6f7a26f5ec
SHA1 a22f5c06fd34b59daa1475789f659e324368a76f
SHA256 dfa1e555ec717a30d1ccccc87e64cc143f0f2d436c8aa07221143482045df00d
SHA512 41e4876cea614c602953f40f835172fb80db5b8b241b0bb522eb9535a97c4e2365cfd335395bdbc87245290f7b8331539d43aec2c1be4de2bb3e7e925ea0696c

C:\Users\Admin\AppData\Local\Temp\is-K83E2.tmp\lPix.tmp

MD5 bef5bad133138ce27f0c6e73d5a2e5f9
SHA1 1cfc9e170e100fc23073cdfcf590594e18598314
SHA256 55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65
SHA512 f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

memory/1056-48-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

memory/1056-47-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

memory/1056-46-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

memory/1056-49-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

memory/1056-50-0x00007FF952CF0000-0x00007FF952D00000-memory.dmp

memory/1056-58-0x00007FF950B50000-0x00007FF950B60000-memory.dmp

memory/1056-59-0x00007FF950B50000-0x00007FF950B60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 7b3019794f46e10207df78cec074ba84
SHA1 37f7f1155da5707f25499c7d4d76c91145ed46a3
SHA256 b1ff13890a938534620e0a0bdd61ce9472ddebb9d2f50066ebf3751b98d5e9c1
SHA512 bd76b729281187d65d1208dfb6ec719d5a663e5996c5ebd6d985fb21dc3137561e22ede0a3af2d932be813d58de371e68446a612da8b5c548d6a111e4bf845a1

memory/2820-79-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\unins000.dat

MD5 5eadc1f79f4f377ac3d2160bdb304f80
SHA1 728d27a2dc8d38634216d06bd59e7315cefd3037
SHA256 27cbe0caa71624bfb472402b7da15cd6fa876aaa517dd6bedf4cc80bba138a0a
SHA512 7b090395faf391d551b79918753bf6c7b39522dac143c18a5cc56aa061b68dfd153b9490b9645f440e61d7280a379f6618600342f69dfbf5fc1f914881f87756

C:\Users\Admin\AppData\Local\unins000.exe

MD5 7d32e1d324403f5baf3443502f6732b9
SHA1 583a56865861c01413abda1daa132b577920504c
SHA256 4b6b8555cca21071bf3c90dc7d8a74e2fa2d1bf5bf85aab0b88a7a19962cb313
SHA512 8880c8f087a848964a777430c72d5ae52c9ff2d82a59b79e9df3084a26889ee5526de02b2b13fd43074510129f0898b093d397e23127cc7330896f10fc6d3e0b

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeBed.dll

MD5 385e36fd28d88b4fe7051de59bcd616c
SHA1 0c6bac3bda42f8dedfba7559d092da5baaac81b4
SHA256 f13c09688c8f5e11c57680a446d2ab52918a53782cf2827ca768652e1013b2f0
SHA512 5ea5505dceb529ef4aa40fd13c23646fc36c74e3a0d86047ae66e1d1b70865f24279b3ea1d5a28f456e44a258a7c75516171ee201049e53420a34e69186ba86f

memory/3972-100-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2820-102-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1964-103-0x0000000000400000-0x000000000053F000-memory.dmp

memory/2184-104-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2312-110-0x0000027C5A2A0000-0x0000027C5A2C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_preup1pg.dfd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b83052d233778f3041cbe528da041ba
SHA1 06a90380d32a7671e40af152f9d7f760012f95b9
SHA256 1b8b2000241fefe3e07d0b47e9ffb20a797bc91ae7bb298d0dc509f8f8785654
SHA512 d524cd16f51d7e0c64f38347e2916fdc3ebad834d77a2de8627211980105fc0bf68afc3b81d48f456f8f64876132909c4e38d998cc7bfed05250689f8b0685af

memory/4372-134-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 3599f10e9bf06bf22909d060cec58b4e
SHA1 cf29fc283d1b9983809b2b5bd235c70425b46b59
SHA256 39fdeaba350fa7db11fcc331045b2a7c2590ebb2c92e44476b612ec15d30ee03
SHA512 e37b5d254a757f90598d83b8b7ca518efa7f4c404e25278745e39c2bb68926e5709592a6eb9bf829042bf4acfaea2789e99125d69376e398aa11c58f24c9f6be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0170f9d1ae30b86da109b1cf5677b240
SHA1 920fbb8dd889b5fa11bcc6da54a19ff5ff684afc
SHA256 b453070c92b022034d16fed311e704ed415d30fe737aba70df3f428d33b55574
SHA512 d93ad956e04709868dc58c786ce2c3919f27ae0bc512a2116b10eded79ebd2ee4e62bd84c95d053308a65b37d01ef824922d9d7691fe97cfdd1029ab5a9c3ac8

memory/4372-154-0x00007FF96D930000-0x00007FF96D9CD000-memory.dmp