Malware Analysis Report

2024-11-13 15:39

Sample ID 220812-s4l52shcc5
Target svcsc.exe
SHA256 f9d595fb503dd18335c9ee9bad24e3760c2456d7df20c49c0bbba719c84882e2
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9d595fb503dd18335c9ee9bad24e3760c2456d7df20c49c0bbba719c84882e2

Threat Level: Known bad

The file svcsc.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex

Windows security bypass

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Modifies registry class

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-12 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-12 15:40

Reported

2022-08-12 15:45

Platform

win7-20220812-en

Max time kernel

237s

Max time network

239s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svcsc.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A

Downloads MZ/PE file

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" C:\Users\Admin\AppData\Local\Temp\svcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" C:\Users\Admin\AppData\Local\Temp\7A6E.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe N/A
File created C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe
PID 1284 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe
PID 1284 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe
PID 1284 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\7A6E.exe
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1284 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
PID 1716 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\7A6E.exe C:\Windows\wklopsvcs.exe
PID 1716 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\7A6E.exe C:\Windows\wklopsvcs.exe
PID 1716 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\7A6E.exe C:\Windows\wklopsvcs.exe
PID 1716 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\7A6E.exe C:\Windows\wklopsvcs.exe
PID 268 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\splwow64.exe
PID 268 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\splwow64.exe
PID 268 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\splwow64.exe
PID 268 wrote to memory of 1408 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\splwow64.exe
PID 1284 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 1284 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 1284 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 1284 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 1536 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\RAC\mls.exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\RAC\mls.exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\RAC\mls.exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\RAC\mls.exe C:\Windows\SysWOW64\WerFault.exe
PID 1640 wrote to memory of 1344 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\416722873.exe
PID 1640 wrote to memory of 1344 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\416722873.exe
PID 1640 wrote to memory of 1344 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\416722873.exe
PID 1640 wrote to memory of 1344 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\416722873.exe
PID 1640 wrote to memory of 1532 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1234824544.exe
PID 1640 wrote to memory of 1532 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1234824544.exe
PID 1640 wrote to memory of 1532 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1234824544.exe
PID 1640 wrote to memory of 1532 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\1234824544.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svcsc.exe

"C:\Users\Admin\AppData\Local\Temp\svcsc.exe"

C:\Users\Admin\AppData\Local\Temp\7A6E.exe

"C:\Users\Admin\AppData\Local\Temp\7A6E.exe"

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Windows\wklopsvcs.exe

C:\Windows\wklopsvcs.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\RAC\mls.exe

"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 124

C:\Users\Admin\AppData\Local\Temp\416722873.exe

C:\Users\Admin\AppData\Local\Temp\416722873.exe

C:\Users\Admin\AppData\Local\Temp\1234824544.exe

C:\Users\Admin\AppData\Local\Temp\1234824544.exe

Network

Country Destination Domain Proto
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 69.67.151.14:40500 udp
VE 186.88.215.74:40500 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
SY 46.53.24.15:40500 udp
VE 190.36.145.78:40500 udp
RU 89.178.104.38:40500 tcp
UZ 80.80.221.146:40500 udp
VE 200.84.248.144:40500 udp
MZ 197.218.139.56:40500 udp
VE 190.142.136.193:40500 tcp
RU 46.0.141.243:40500 udp
IR 5.235.204.73:40500 udp
IR 188.159.182.122:40500 udp
IR 2.179.52.114:40500 tcp
N/A 10.102.13.6:40500 udp
AM 46.71.107.63:40500 udp
YE 213.246.2.79:40500 udp
TJ 109.74.67.96:40500 tcp
UZ 217.30.169.113:40500 udp
DZ 41.102.164.47:40500 udp
KG 85.113.19.18:40500 udp
UZ 195.158.14.139:40500 tcp
US 69.67.151.104:40500 udp
UZ 31.148.144.12:40500 udp
IN 117.212.116.33:40500 udp
MX 187.200.76.99:40500 tcp
MX 187.225.68.38:40500 udp
RU 37.113.146.57:40500 udp
UZ 217.12.85.22:40500 udp
IR 151.239.216.183:40500 tcp
IR 2.179.235.239:40500 udp
YE 178.130.74.143:40500 udp
SY 82.137.244.49:40500 tcp
N/A 192.168.1.68:40500 udp
YE 134.35.197.4:40500 udp
IR 91.92.114.50:40500 udp
UA 178.74.208.206:40500 tcp
UZ 89.236.230.220:40500 udp
PK 39.53.157.165:40500 udp
MX 187.230.162.148:40500 udp
US 69.67.151.95:40500 tcp
YE 109.200.169.99:40500 udp
SG 146.70.67.37:40500 udp
VE 190.72.219.162:40500 tcp
IR 5.238.107.4:40500 udp
IR 151.239.216.183:40500 udp

Files

memory/1284-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

\Users\Admin\AppData\Local\Temp\7A6E.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/1716-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7A6E.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Users\Admin\AppData\Local\Temp\7A6E.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/268-60-0x0000000000000000-mapping.dmp

memory/268-61-0x000000002F401000-0x000000002F404000-memory.dmp

memory/268-62-0x000000006FD51000-0x000000006FD53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A6E.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/1640-64-0x0000000000000000-mapping.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/268-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/268-68-0x0000000070D3D000-0x0000000070D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svcsc.xls

MD5 c0a83d190005139498523c1e5cf2ab97
SHA1 f503561162f978cd2f6c93545e3c2183cffed4e3
SHA256 f5e4987ef8efe10a55440451365a57b41b8c736f4403ee1ce792680f5b94bf21
SHA512 bd0930b0b76ea10ff8082d3a5e81ab851e683253caaee5ae9f7b76de0964f15e5e67d0262627dcaf7833a64b87e22e9c0bb8b102cc84ce7c5b33894663b0d3e5

memory/1408-71-0x0000000000000000-mapping.dmp

memory/1408-72-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

memory/1536-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

memory/1724-77-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/268-82-0x0000000070D3D000-0x0000000070D48000-memory.dmp

\Users\Admin\AppData\Local\Temp\416722873.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/1344-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\416722873.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

\Users\Admin\AppData\Local\Temp\1234824544.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/1532-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1234824544.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-12 15:40

Reported

2022-08-12 15:45

Platform

win10-20220722-en

Max time kernel

236s

Max time network

237s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svcsc.exe"

Signatures

Phorphiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A

Downloads MZ/PE file

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\wklopsvcs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\wcdsemgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\wcdsemgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" C:\Users\Admin\AppData\Local\Temp\svcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wklopsvcs.exe" C:\Users\Admin\AppData\Local\Temp\34C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\wcdsemgr.exe" C:\Users\Admin\AppData\Local\Temp\656425582.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\34C.exe N/A
File opened for modification C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\34C.exe N/A
File created C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\656425582.exe N/A
File opened for modification C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\656425582.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\svcsc.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\34C.exe
PID 2256 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\34C.exe
PID 2256 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Local\Temp\34C.exe
PID 2256 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2256 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2256 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2256 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 2256 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 2256 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\svcsc.exe C:\Users\Admin\AppData\Roaming\RAC\mls.exe
PID 3624 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\34C.exe C:\Windows\wklopsvcs.exe
PID 3624 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\34C.exe C:\Windows\wklopsvcs.exe
PID 3624 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\34C.exe C:\Windows\wklopsvcs.exe
PID 3784 wrote to memory of 3976 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\splwow64.exe
PID 3784 wrote to memory of 3976 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\splwow64.exe
PID 4332 wrote to memory of 4168 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\107459623.exe
PID 4332 wrote to memory of 4168 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\107459623.exe
PID 4332 wrote to memory of 4168 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\107459623.exe
PID 4332 wrote to memory of 3932 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\867831972.exe
PID 4332 wrote to memory of 3932 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\867831972.exe
PID 4332 wrote to memory of 3932 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\867831972.exe
PID 4332 wrote to memory of 4872 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\656425582.exe
PID 4332 wrote to memory of 4872 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\656425582.exe
PID 4332 wrote to memory of 4872 N/A C:\Windows\wklopsvcs.exe C:\Users\Admin\AppData\Local\Temp\656425582.exe
PID 4872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\656425582.exe C:\Windows\wcdsemgr.exe
PID 4872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\656425582.exe C:\Windows\wcdsemgr.exe
PID 4872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\656425582.exe C:\Windows\wcdsemgr.exe
PID 1152 wrote to memory of 2688 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\183073611.exe
PID 1152 wrote to memory of 2688 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\183073611.exe
PID 1152 wrote to memory of 2688 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\183073611.exe
PID 1152 wrote to memory of 4956 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\2951923665.exe
PID 1152 wrote to memory of 4956 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\2951923665.exe
PID 1152 wrote to memory of 4956 N/A C:\Windows\wcdsemgr.exe C:\Users\Admin\AppData\Local\Temp\2951923665.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svcsc.exe

"C:\Users\Admin\AppData\Local\Temp\svcsc.exe"

C:\Users\Admin\AppData\Local\Temp\34C.exe

"C:\Users\Admin\AppData\Local\Temp\34C.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\svcsc.xls"

C:\Users\Admin\AppData\Roaming\RAC\mls.exe

"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 512

C:\Windows\wklopsvcs.exe

C:\Windows\wklopsvcs.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\107459623.exe

C:\Users\Admin\AppData\Local\Temp\107459623.exe

C:\Users\Admin\AppData\Local\Temp\867831972.exe

C:\Users\Admin\AppData\Local\Temp\867831972.exe

C:\Users\Admin\AppData\Local\Temp\656425582.exe

C:\Users\Admin\AppData\Local\Temp\656425582.exe

C:\Windows\wcdsemgr.exe

C:\Windows\wcdsemgr.exe

C:\Users\Admin\AppData\Local\Temp\183073611.exe

C:\Users\Admin\AppData\Local\Temp\183073611.exe

C:\Users\Admin\AppData\Local\Temp\2951923665.exe

C:\Users\Admin\AppData\Local\Temp\2951923665.exe

Network

Country Destination Domain Proto
RU 185.215.113.84:80 185.215.113.84 tcp
IE 20.50.80.210:443 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
NL 87.248.202.1:80 tcp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
RU 185.215.113.84:80 185.215.113.84 tcp
KZ 95.58.82.147:40500 udp
N/A 192.168.1.68:40500 tcp
N/A 10.231.1.75:40500 tcp
UZ 89.249.62.233:40500 udp
YE 188.240.118.87:40500 tcp
UZ 213.230.108.153:40500 udp
UZ 217.30.161.235:40500 udp
RU 46.0.140.26:40500 udp
IN 117.217.175.143:40500 tcp
BD 103.54.150.88:40500 udp
AF 103.83.18.154:40500 udp
IR 37.202.243.204:40500 udp
RU 46.0.174.179:40500 udp
IR 89.41.14.197:40500 tcp
IR 188.159.182.122:40500 udp
IR 151.238.60.210:40500 udp
SY 82.137.244.49:40500 tcp
IR 5.219.128.72:40500 udp
IR 46.100.99.160:40500 udp
VE 190.142.136.193:40500 udp
YE 5.255.5.144:40500 tcp
IR 5.234.167.230:40500 udp
YE 110.238.56.241:40500 udp
IR 188.159.105.159:40500 udp
UZ 62.209.132.199:40500 tcp
US 69.67.151.14:40500 udp
IR 2.191.26.72:40500 udp
IR 188.159.21.253:40500 udp
N/A 192.168.1.16:40500 tcp
N/A 192.168.1.129:40500 udp
N/A 10.230.7.52:40500 tcp
AZ 37.114.137.218:40500 udp
YE 109.200.169.99:40500 tcp
IR 178.238.194.137:40500 udp
IR 5.237.71.101:40500 udp
SY 88.86.2.26:40500 udp
YE 89.189.79.106:40500 tcp
PK 203.124.52.86:40500 udp
VE 38.25.251.44:40500 udp
IR 2.182.11.201:40500 udp
UZ 89.236.219.200:40500 tcp
BA 146.255.147.99:40500 udp
UZ 213.230.97.32:40500 udp
UZ 213.230.121.236:40500 udp
RU 95.163.189.237:40500 tcp
UZ 195.158.14.139:40500 udp
RU 185.215.113.84:80 185.215.113.84 tcp
RU 92.125.32.120:40500 udp
RU 185.215.113.84:80 185.215.113.84 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
MX 189.251.38.127:40500 udp
UZ 213.230.91.15:40500 tcp
UZ 92.246.78.190:40500 udp

Files

memory/2256-127-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-128-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-129-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-130-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-131-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-132-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-133-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-134-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-135-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-136-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-137-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-139-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-138-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-140-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-141-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-142-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-143-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-144-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-145-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-146-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-147-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-148-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-149-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-150-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-151-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-152-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-153-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-154-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-155-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-156-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-157-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-158-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-159-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-160-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-161-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-163-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-162-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-164-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-165-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-166-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-167-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-168-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-169-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-170-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-171-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-172-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-173-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-174-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-175-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-176-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-177-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-178-0x0000000076F10000-0x000000007709E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/3624-179-0x0000000000000000-mapping.dmp

memory/3624-181-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-182-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/2256-183-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-184-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-185-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-186-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-187-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-188-0x0000000076F10000-0x000000007709E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

memory/3624-190-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-191-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-192-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3624-193-0x0000000076F10000-0x000000007709E000-memory.dmp

memory/3784-248-0x0000000000000000-mapping.dmp

memory/4752-255-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

C:\Users\Admin\AppData\Roaming\RAC\mls.exe

MD5 6740d8a7b536b412240ea4a8b4c790eb
SHA1 6b9a10f5c24551e93e658c1d917828491f2069e2
SHA256 d0613d47a3891dc74fc7f8f03046625a25cec35348911f4cfbde7e2bd607f6b3
SHA512 e254b2911fb028b85a300261776721a95045534bfa035e8e96db4c1182a5bd78af4552bce18e73b0de2cecacbe6cea726b817323994f2a24620d4c87a77c82b0

memory/3784-295-0x00007FFD80790000-0x00007FFD807A0000-memory.dmp

memory/4332-297-0x0000000000000000-mapping.dmp

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Windows\wklopsvcs.exe

MD5 209baf40779b80d5e443c3dbbd656bfb
SHA1 b64fa8dded031d5dacac519a2035cefcd05e6503
SHA256 c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
SHA512 9b4e3e82e141e569c85f22dd215f804b2f4e8969cda858662efca67532ba57d2e0acdbaa179524b4996be62f9acee3298eaf6cdfd03eff7e39e23bc7163c440e

C:\Users\Admin\AppData\Local\Temp\svcsc.xls

MD5 c0a83d190005139498523c1e5cf2ab97
SHA1 f503561162f978cd2f6c93545e3c2183cffed4e3
SHA256 f5e4987ef8efe10a55440451365a57b41b8c736f4403ee1ce792680f5b94bf21
SHA512 bd0930b0b76ea10ff8082d3a5e81ab851e683253caaee5ae9f7b76de0964f15e5e67d0262627dcaf7833a64b87e22e9c0bb8b102cc84ce7c5b33894663b0d3e5

memory/3976-486-0x0000000000000000-mapping.dmp

memory/4168-497-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\107459623.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Temp\107459623.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

memory/3932-537-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\867831972.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\867831972.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

memory/4872-588-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\656425582.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Users\Admin\AppData\Local\Temp\656425582.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

memory/1152-629-0x0000000000000000-mapping.dmp

C:\Windows\wcdsemgr.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Windows\wcdsemgr.exe

MD5 5741eadfc89a1352c61f1ff0a5c01c06
SHA1 cdff6ddd67f17385f283a0f9e8de76731f11a9b6
SHA256 ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3
SHA512 08104893c726e06c6fe7687394d084365b72cf19e821be0d7a1b094c9a0d54ccea65fd01ea33a1f507680d21c6f98e62e2d765b4a0ce3b3d8d458063bd375063

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ABGWTCK\2[1]

MD5 573584190b9ae1f05e0b40591df933c4
SHA1 412fe72d4eb447ac1744bea4a35360703b1fb110
SHA256 85348184c11fe6ea7866ab07f01a7acdd189b0c349b2775f1d28f188b45fa074
SHA512 cc33f657047478259fb4ff1d610b9e8adf55744aa4a0a015413cf2747b11992c4d2d5df9d449690c1d28d905e92e93f2b915edf51e8361973018b17bfad496d4

memory/2688-680-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\183073611.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Temp\183073611.exe

MD5 c8a69840ffff790ea975bb0cf55f7f4d
SHA1 dd1c74f0eb2fc813d16c96669e22fb657b67c4b3
SHA256 e532a8c62dbf01fecc09896f376e689ee836c5498ff24586ed142f72cfd174dc
SHA512 df22b912e15640cd1c5f91908e1e2d2b4fc7be27d54415fd2c0ba5f0de83a785662b67912e4513e13fde30abab4082763d4dd6e65ddc2cdfe47bbe6ee40d249a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RKA4D8SW\3[1]

MD5 9e2f163c15ee457be1f51981985570a1
SHA1 4a191e6da4a85b915f285e758d0789d2ede3aff1
SHA256 c7de55ddd548f4f268979e1f0c70ab0edb2566c0ce46b921ea281e1570abad82
SHA512 4b3eae4a1df79ac8805f46d32daecdb54028d160a5056679d4478c08e7f8ff42df5f84f4b1fe2cb8b5f3574eae5b18a94ad865edfc4d314a51118316c907967d

C:\Users\Admin\tncmds.dat

MD5 07872b17cfd93a2792bd0b17f5c07002
SHA1 7de2ee0b5255ecc6720fb91cae5e51af20a0e4c5
SHA256 44a3fbe34f99b539d55342fc99c33a9d5c6da95bfc765d94c47eb64ecbdbede0
SHA512 f6c519a48afd92a1eee0f6e4efdf9f0c0cd6104e7edae202aee33d1d8036be3be681032383c0b36fd1ca71ae53600d55b05bb736410f905de06b0f5364d64d37

C:\Users\Admin\tnnodes.dat

MD5 9955ae60a2ed7c794f36ff509c57bd9d
SHA1 26e4da53f46c9d3f94498c6ab3d277ddf37d441a
SHA256 49a160e5d636d06ebc3a6a69b522fe1eed1a71c9dff50079d2adbfde4b16fa6b
SHA512 352d55485153d53a830c470787110755bc17d84cd273e6262193431dbff6e03d2be22cdf2dff6fcb5c95c6eff0536442943e41fb3e02a6c28f2b5f49619a3cc7

memory/4956-723-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2951923665.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900

C:\Users\Admin\AppData\Local\Temp\2951923665.exe

MD5 a475e43527d7dc7d6f2d23bad64fcc99
SHA1 793a7625c0106d6cd79d060b4eec94e58530833e
SHA256 f97c43bf3dce6180e658f2c3776e31cf52472b28ac8249be4d307880b6405eeb
SHA512 4af57a218d7d790b5ec4581dd2bc941deff05ea11bf6054a9d268c054af421977cdd68d5090884358208925f50023c97e9cfaba0831d72e9bcdcca729447d900