Malware Analysis Report

2025-03-15 06:51

Sample ID 240104-btyyesedbp
Target 24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18
SHA256 24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18
Tags
game-dd orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18

Threat Level: Known bad

The file 24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18 was found to be: Known bad.

Malicious Activity Summary

game-dd orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 01:26

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 01:26

Reported

2024-01-04 01:29

Platform

win7-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000004a4e989ed1729d64acd1ee41730f754f77e42dd4f01123537d3b488a8c224a2e000000000e8000000002000020000000e6d8581ea2227083665e40eedea5a2a2cb74950a7ea0a83be34599256f07d6bd20000000c5d8a082ee198ada4607be1f7318e5639b1baeaae2a4d7f0c0ca0c37dffc16f8400000006a4e352adbea5aa679e035527c2932ae8f181d654a40f82bdb0f289a8d4f74f51dc4cac11a8228f1250fa7df44e688bbd93fd16092f6e54173a001e530ed51f2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410493519" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60992a3cad3eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B988131-AAA0-11EE-9840-CE9B5D0C5DE4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000069db7d33a061135205fc1a90ad5112dfce577c20ac6696e689b1d69a7a717d2000000000e8000000002000020000000efca574dfeb4f612f0fcd37b053b1523814ca61cc0b66465eaf916b57927b13490000000b51975a02ded944b644688991e850c5c398c7162bc78345979f1da7ca27dafb84d6781176ef6e7bb5695255fcc06122d870dd5cfe450c9e85f7b733831c050aac223ba6b558a334746dde35e25ba7b3d0848845be1078a0018b7bcf57f27c9466cecf4ced3bbd124197fa36c6ce589bf2fd52adc013e7d26d38dba79ad1a82b8a23619bb4b2b80c8d6e0208c26bb277240000000e9a5ca95d3301ad78ad5418f88a509b23614ade030513e684d895981c3221f7733808c2d4c1d8e8bde8d047500c482732ac55681827d3f71f50a706d1e1b0e0b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe
PID 2664 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe
PID 2664 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe
PID 2432 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2400 wrote to memory of 688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 688 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2400 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2400 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 1696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2400 wrote to memory of 2532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2400 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2432 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe
PID 2400 wrote to memory of 2508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2400 wrote to memory of 2508 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

"C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F16DFAFF-45A5-413E-A1EA-F0DA368265DA} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=IntelAudioService.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:209929 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:472080 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:865297 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2110483 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2503710 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2241584 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2503751 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2765877 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2896966 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:1520702 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:2634880 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 2432 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 kissmyasshole.myddns.me udp
RU 89.232.195.236:6666 kissmyasshole.myddns.me tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2432-0-0x0000000000C00000-0x0000000000EFA000-memory.dmp

memory/2432-1-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

memory/2432-2-0x0000000000530000-0x00000000005B0000-memory.dmp

memory/2432-3-0x0000000002500000-0x000000000255C000-memory.dmp

memory/2432-4-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2432-5-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2432-6-0x000000001AAF0000-0x000000001AB48000-memory.dmp

memory/2432-7-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

memory/2432-8-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/2968-12-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

memory/2968-14-0x0000000002310000-0x0000000002390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\Cab842F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2968-42-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72f23fefcdd323770a64522952823e04
SHA1 b33b29046e5764c20fbf6d9c8626cb66010c9c97
SHA256 1ef2dd3a63509cb29386bacad9d58dbe675bbf5a0f7671b9d72b6c1dafd3bba3
SHA512 096a8c57baece967d1904eb0cd9d85c63a57dbd67974dd488f47b55072b7cd9dd3658a11af90c3a4b184b3c49cb5869cc76e66340a548d68b1d21ea36374384a

C:\Users\Admin\AppData\Local\Temp\TarA18E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2432-177-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a2885851877cd69cf3f349d2a0ade03
SHA1 f0e65fa125adca995bf45fda72f46f48e70834dc
SHA256 fd1e78f7f665705b04c8f5ec8ca59b91415e243afcd171e4c715df1833ddd5b5
SHA512 6dbe0f434399de1c4e73f98c98faa58d10de2d776fac7225a9ce86d4aa2954e4f5995112db5662a8d9bd4d3f6b42308d0248fd8dda124c1194c095915b4cf5e1

memory/2432-492-0x0000000000530000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8237b4c01b00101c2062b44c1fde0bf1
SHA1 11148ab978dc2c44a60d919502be566d51094a5f
SHA256 c5b63dff09ff001bc884b77a33d1629ac2ea1960c914b439071390096d3ac891
SHA512 0c0bd86c094ef60fb058a157247f8607f2aff5c36e524be6440ad09fe0381a29e78cbbf9541f800ee67aa08df6c92f43f6bb14e4f6613bffc6036f75eaf911d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7107ae0c223f2e1f3552301ec413130a
SHA1 6a28fb20583438ddfea7239ac8f7bb56cd1e5fe6
SHA256 e6c27354f51d9d3d072dc4ef85c4ff934ca838b56d7d9802e0ce3f3d049b0c07
SHA512 a7fbc5b2ae7e22d6bcb7b863d0757c31d25b776f50a3569b3da5c493a5cb9eb0fbf33fa34ee49127817316211f06c594e26ca6d3a55926ab840f29408ed5bd9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2c931681144fe7ec6841fd32719f5a0
SHA1 4814e5ff9567990e88b7d49f5f917d39ea69316e
SHA256 c4542f4e237f39372f62112d129feddc691e1113fd2001944cd6d4a432eeccc0
SHA512 fdfa438fd4e2391d90b2b180b0be2f7ebc157b0d394f12482a3f63e80097fadb0ff8453366d37b7c800888506b0ed6f1a001f1608e3c1ba16262be05ba1ab714

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05905bac39e94c1263305af47c7d6559
SHA1 5b1e09aaa65b18dfdd8518841b89eb3f7ea5448a
SHA256 313bf0c01bf3d5992d330d6051821ff1fc874606b36cdbe11780d69140113ebe
SHA512 8e4ead79b6836b737a69c9d9541e335571b53c0f3d5cc17b412abf4da03ce20aa62f7d618e0b9ee533391e99dbbfa70198fcb8e7b8de7fcbbc1516a16312bc2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9dd479482eeefc37ced4802c6025bfa
SHA1 7cb18c5a478c7366b5708932cc5346ef2bd0f9e4
SHA256 c0b75fc6a4ffe4f6256d8f40067267eb48ebec7488b8da4d07afc0d1c0eba300
SHA512 9cdf2c1ee245f0935489e2688ecd0c843b2e654ad66f6a07e0cddfe19be0e398af46dde3acd89c5b57df0e3bcbd887f5ff7134e9b749bcc0e1df03d19cb583df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83653fd5dd02389668450cb7a150038f
SHA1 f81b313b7b4d9a6755d72071cf3feb1811bc6835
SHA256 466ea3c643f3522df293355b68a28eb5c36fbdeb9d2fd9ec0a5b155c6596f7de
SHA512 7d6739ae4d964dbab87e4ebddd6093c0de5b8e39f51954e3c1cd65c8e56109d89e2d6d8f1352f2b75c4e0531ab677ae108949da44a0726de30c8230723d87060

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8c3e8fc746317b5a46ddae674c68ccc
SHA1 b9bdf29ce29bc087d6e0733b3a79d949066e6b33
SHA256 61ffcc795afb33e4a850554ae7afc339c159f833321a193331b100cb2b52ddd9
SHA512 95b0195ad602af13772be101f133e49e48ef6dfbf578b2e70a88dbc585f29699f1757c32e808b6068e7f580e31606d523c079ea0682bd95dc399b92c1510c822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72de62c723e2fcc14d3279fba2bdca25
SHA1 c27ef8da9b22648b354484005a679ed26bf91000
SHA256 14315af5bc232b8718c4018ab05c8ade33f8db1f4e91b695f7b60379a677155b
SHA512 ef4bb8ba70ece6f928fe9aef5b57347746621f3863aa26d76f9b33ea9a82bfe82e4cd572093c0be57a3a7f108ebac4e79fe2b927fcd250e5ab628decfafce03d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03f135eb0a23ad9834032bc2589f4bad
SHA1 f68d23f1f18769109a66664a98979a7b047f778c
SHA256 78b56a0291717991fb38e53f33b053eb2337b8fec12a731a51618a2e98b3a379
SHA512 a7f8af723e90a3028b5072158c0a3093c370f7dd602510897aebd5338b54383941271808583610746325b70a10535eb796022c0b3ef4bfccfb7d1124f7070829

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d4fe3bca378f1923cf4fdd0382ff02c
SHA1 31c6f626ef8b5dc46b6fd9d2427c92a9372143c0
SHA256 9057045dbb6feb59473fc473ba95bf00a935869f94bd6ffba59be01e48798946
SHA512 a59c5214dbed6db1dff3ae78c17c91675b237ae30f453573832e44bc35dd2b75a577384f396487fcb21d5ff8fed9f6c7a0760640e662c18a9b1ec522524ba352

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7dbe84760a789702c1557456f52af80
SHA1 62aa5a947579d3c3995541e9b58d25332a04e50f
SHA256 b68be7b936cd3e004b84056fbd29dab938077fe39f70a33c8967546c8dd8c1da
SHA512 3fdd9670ebe90c7db396bb3b279bf1a0a3db67a7b46d2c205571546a5218c94105ea817ec9f5605d781c7131f611d2135f24bff977ae43f9a108d3cc530d28a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d89ce5be5b1c8468649d9495edabb14
SHA1 5de90563ec8e3e1be9064b22bdd7ccd9b90b0d7d
SHA256 7b99111b571b3387331ff29cfb5415ae06d2b4618e2b42180903877972ec30ed
SHA512 b506a4ee128658426a8d81b03862d697af4544554a5bbab0f4347260b2e1021fbe95771203a37e0f6242a7a12435bd7b9d4a5bd667f9636f9845c99b08340307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51d3c267561115f94d13ff9e467ec8be
SHA1 edcc24fa988e2089c21bfc8143cdd4cfd8479f81
SHA256 4036dc720a34438ea1e1b0c493300c64c43bf9f76a1d7894e9c12763c0ea6ba5
SHA512 21410afda7882d5afdbd778a2b5d7bf009153460f1f121e4c388a99a58e3d578178df7da2ba9063a582582ec21bfed4160f93f656d0e32dd9820947820d8ba65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e74bd17bba5b61358e31babd208f5bfa
SHA1 cc30bce325ddf318b82bd637fc3cfc384e837fe8
SHA256 8d106d1abb25e31bef220caeee685f6456bec2eebb8921cfd5dddbac04497470
SHA512 542d896b5d594a7d07f352af283ca79958d6aab3bd1c75c882b1391b652f7429c3cd93c47cc7b596d5f7b0ae1c93c6120ce0a526898f9c4868bbc57d6fbcfad8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1740eb1b94f4f05ff6c5db8fce5aef34
SHA1 fefe1412d759aa74175ceea3f90b8a427583369f
SHA256 0f3d4c2043e3d21c6eacc1c1ba91cc67ceed6f9b5ed406484faf75a2ac59f422
SHA512 e42e8a10ece8cebaa23cbf44ca40f8923ba168a316815e1712add88bf1dcb67e30f3fb8a7e7fa4ad01439a58abe0bb0a488d2c67639329fbfe73b4483d67b599

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86e736f4da2d277e9c26078819a193d4
SHA1 f65f734281a97c4dfc336ebe0da8f4567e734159
SHA256 df2d610a3c0f6e85715b3e5449ca25134a4fd179bc84e86601c7d1784af85830
SHA512 e4a2bd1bc511a59c37f49e37c2d611f7fb34a6732ad6a79c3256aa452745d820bb5434c18f992f4f781ddb8f717e1e88a229ad185d864efcd27ce0c44b575da7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a382ea75020279ba6a66cdc5ba2fddc
SHA1 3b54464d79333b3825a2e4d3db38e766eb0942dc
SHA256 193f229310f9e79aea8ce87b6e28aa87764126abd2055ea41986d1e2734ff266
SHA512 e1d20b12eda93c65748dcc50e56f952272cea2539c7841edea555f6efe08cfa576cd4996f5629905e5f240cdcdd7b60c0d6e66bafac5032d17c6c12ec0229bcc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJ0GGVIM\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b45b0a41574405d6b5e286439d301d
SHA1 af4546ed642e5508a49aed007d565cb986b9aa19
SHA256 df7f8055fca2bb2b89a3a4057cf6e975447be2fd16d4f2f2589a6551ea9aa593
SHA512 fd4d6578c3789a9a1338fd5da7fa5eef923e99e96630c0187f676065816b216750caad3286247089e7c484664762da5415c27a544e6ad48349276713eae648ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e85169a1795c414eb16ad08812816511
SHA1 eb4fc117b9afecc0d064d983c8f7fe5c65464d44
SHA256 0da2408d9159111292bf37e7d94b779203bf0144594a53d4042b83406c019e57
SHA512 f83e554ba23d22a39aeb2d711b55a59ae33191d7d8f7d3e91c3b622af09c49156759fbe1e3ee7ea00b6c39b0343a36870c28a80c658fbdec2861890c3b748558

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48f4cb37fcaa183b7060fce25461d19e
SHA1 94cae9dba070fb3c018bf3d5161acd952efa86d1
SHA256 28c894062b5afc98ae50250423f6d503ff22abf3d1fa8c55ed01d0d0a6dee133
SHA512 51b3a62e4eb72d1b32b26057b7e8721c2c219d91c1bb9db7f2ce839ff63ef467100b1929f44bb3ff8d19c35e94c1f8bdc9474c15f96faa2bf68be4da6e573caf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7efd2ec3e391bad558425b2a72202bf6
SHA1 1292e728ba9af598171cf9ca679f1c93aaffe2c6
SHA256 d33ad4ec89d3bbeb53e4976c762cabb6accc913e37d20c93a34112df26bb39f1
SHA512 85323953f52f6ce4d48ac9be3171ca8b648ba28584c057076bb25926ab0c36e3915c090da8d5fec7c22d1b653983ce8d23389f6c0867b4c2428478d174f8d123

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5254c393220f53a59c7524d18435fb13
SHA1 c9e25c4da8b47026e44c2531535dcba9adaca0a7
SHA256 52710e77fff9df1eb733d22e3f724b61766a6978e5ec81bf2d13201a14691698
SHA512 a1eaea7d05412ba3c497440116e10453b3bf0f13b209fcf634199978beb23488cfe9f0188b90499b26dce7a2e65ead28c31f6a55e8a57773dacb8fe510f6fca4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36f417a78a1ceb69d6ef68ff52806df2
SHA1 d1b4442e136d91d0bd2a48a777713a8bfcbc3098
SHA256 195fb1820735c9ca445fe63b9d0f2d84e10b35512909911141df99eaf75c503b
SHA512 bbc15d765f36765b98e0ad27114c4f92b282d7a5d7bc1c202d3d733e873d38ed8d8dcead86da980b9c37f5c486efa93d683ac950961d536fa1c0043fef8d732e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f547f2b32dd6974dd6cd2a5c76f035f
SHA1 bb985e311043dc56325a79cff2563613fea86309
SHA256 f90b8716fc37d741383d972ab5f556f309746062ec3a067fd016829fd9c250eb
SHA512 2bc7159ee97cf3066059f53746cd6370f567434e015c7cedf18683a7e94fec5f4bf4840d9cae0fa10581b3c6cf547375dfca71d1bed6ccb6c37275397c275115

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28487536640d9427f77940af751a65fe
SHA1 e9f690636f15131698ee12edb31d044b30bd6313
SHA256 67305992d0cc11db8f22630930e4ff8a7f324e0477726510fef435a7431d87e1
SHA512 9d44c20680d083a7e781b9d046a232a8b2a5ffcca302fe470aacddb41b9d18f47514b19c9af4eda1e105dbde6f8dca521d84f33eac088ddbec7beacb5102bd70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95dd7c6a910695eea307372d096330f6
SHA1 d34f682c620c91743f3ee4e800ecc8098a2bc6a6
SHA256 70862b0ad77ae8307eaed124e88dbe3e1ee8c93b50537b48dd1fae1a26bcbefe
SHA512 2399107e88d7ec9736914d3f7c1f8caa6439736149d1a05b473beb9078641dc41e0ba7148f70e1fd76656efc23aa023a5f61ef44249849304a70c664a4be84f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5157ce723859651b125cea8c53131b7
SHA1 b0fdce8141383549b3c3dfe8260d69b8eb3efd3f
SHA256 4c34ac93fb75719dea8c56d1e151ed7059321f4e5cdf9a989058805919f852ab
SHA512 6c6afa9c25de77baaf6f4539f1f603423ffdb41fa791ed82a9b6256970318281d99fd01734fdb0cae8b07aa32e9d2afec9f6fe1ba0d56f850f10e1cfd14cad41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 627ac153b22121e4955425626b5f3dc6
SHA1 b6194d07ff86b0b5f63ef100bd05bdecbb2d2d66
SHA256 69a5490fcb9316e0b070bd923e44fedc442e320623567a138db5aff7416d79bf
SHA512 00019f68f70f3e0d27defc2e78c7d1481f158112c8687f796d9e5e0aa7448c292310eb86a3961c0dd6b79e823908a61670da135b93937b8c728ec98a493adf08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e07e7c6f75aad8223cf9cc7718443f2c
SHA1 a4b2c73155cf663a7fcb6aef8465313ef8498db1
SHA256 47cd831c0999a4cb073f8bb515c63c1c1bc078573a95b2a26b5508d5c530e53a
SHA512 48dca1c2b6f23e9cd61655e23237e755f4813d70fe75801fc19047108d3194090224391e9aa4fb71dd79e7959f885f06d0d65b280419671bb6eb46fdea45d3da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1bcb63e0768eb233d5c58489a19905e
SHA1 93346a090772bb36ca0ddd82c5c771610657b287
SHA256 07f104d9a5515fefc6746edd354e237ce08aa38da503bbf86d297512fc4fffa6
SHA512 3460a24addb9f5194c9c35aece73a63e728caca6f9a495148fa1ecd4c7f904cdae546755656e84dd7638ed3d8d1541775e62d4950c37937be4d64e3be9dc2aed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9ad0112829768383b79e0c823048967
SHA1 fa43d155f599703a2b143e52460aeafd689a5e14
SHA256 eb48ffd1d67624f36d5dc68392e3c9f8b13f673b1d0f2d95887849770e9aeb70
SHA512 b46ea305746345f126248c2a98dadde2545f42d63837720bb19a0a2f7eb0c9daa7264ecd4a194478fc4e6bc059c28cc74360c6576b7588ad3a8b6a539c7d34b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a785f72ae536e4bb5251678ec435d71b
SHA1 6f0133408193087599dd69379354896ccf1be442
SHA256 dddb4f5d79781bc645329d2492d7aaae0e8bf6a9c104a0919323c74ec55459d6
SHA512 8235e2e38c9bff11fe123acd12b8c981de2d23c76fa5bf0e0822e4a65ccccfc275976964c79cb80ac9e9120b810b340270380d45238adbb895c9d0bcbaeb14cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e467c695c87f94b133443e0877fb78e
SHA1 3a591a77736c3d07f0ce8ffa842ac230c9cfa863
SHA256 06160577b73dbb006078daf4fa4b1f7bc448abaecbbba88a77464f298ac1be74
SHA512 6d8f6eb87b07c03dfc1cf342a891245d1d6a69e75564eb3dc9b38fad5241141f4a7f493c399fa5cbc141b4521275a13914cbdf6048fd24db374d4a90d68b4292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ca1b02ca5f34c13f5cf6674030934ca
SHA1 3240e1f06b57220c8b0226596c4d43b512ff789c
SHA256 fa217299c914507bb8224d30b8fcf39d31972a09e35ee5bf16430392a4b70f30
SHA512 cff81d533e0aeb40eb617c548378f0e72e7e908b6a794b8b0c512eb7f2eddccbc1259401b46419c4f345aeefd6b4bd76ccfcafe6eda3d787d2ba29c4e197bb4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f584f84a7cd0a33571854ed2843f114
SHA1 6a4f6b225b0083348a9e9d119658a2190172d080
SHA256 d3a1e4318a07a0d01fb38478020c1200515b68f2c065c248820c62a4503389ef
SHA512 93b1e252b6d1502bd897616c10c75c385ac3ae7d8ea6cc6645a1ab8136d6897b0dd1128b80d66f25cc4e42628c5033a63f05e294ad256ff49956716b3a7559e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4bb1195297709d3d7fb80e16d307423
SHA1 17b56a7a9995896b1050be6ac1e09820d1522792
SHA256 dbb4fe0b383b5c90e4e6533d7b55a2246dd48339cff5d4bd1d8ac54b2215d3b3
SHA512 9c7d01e6002c6bd9b3f4d77da07d37877e7177ebe2122ea25455aa3a46109bd2defa2cb1e39a316eb4db70a5cadb1f201591c0baf233f31656e94dbf0a46d776

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f7a8001639e9cb6748a9e7aa1a33801
SHA1 30ade3f2dafbffb23f9b8f9a40a0b0e53b34ecfd
SHA256 b862a6b0569274a2d13613f02e664af291660353145fff237d9d8b4df13fa332
SHA512 f67d44f5c7b3763cce3d6ea1dccf027f18600f72db36b7b28a532236a4afc31af601d08e4715a8f3dfab60eefc8c2a5182601aab0796e5d52c5408428581225c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 532c66ed259806a3c60d3c15bacacd1f
SHA1 f301b6d00fcd3e20dbf865a6d173a72a0b7be306
SHA256 b0529c0e5c7c5958033fbe2797b78969e9c36a339c576570865c745ea0094939
SHA512 de18a8f2be3d4a2627bf47ed1b134b9abc199c15533d1e8e84ab6c8851e7c0ce23b8454c468ec40ab662d38ec674226bf31872d243ed098180ae32496d157551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6a21ad44b9a1e6952dbd11f0aac9647
SHA1 261d490b991c1babe5b591159af8e7858c5f01be
SHA256 384fd6e5dad6731d652312daec45660de362d43c401fa3e061e38dfc9e77967a
SHA512 34f6c54ddc13afad69055310391854315e4cf347971ccdcbc1c43223e7e5ee1788c1394738bc24e1d650d4dd333e123208776822700b3342e1008a431e1dc89c

C:\Users\Admin\AppData\Local\Temp\~DFF7FEFD797ED4A288.TMP

MD5 c444ddf57b16e62a5d90225101a2d50f
SHA1 00516699ec8c8a932057c3558ec2ba7c1992bebd
SHA256 ce2dcc4756f05ae1a2078521a7103ca589df1d165fc21425e52eb6442a0f4996
SHA512 1816c6973e1a3b9cdcaefc38344d81a8ccca4a1163c7ad12daf4ea1ff11b5f1bd8b7065e30c75314a516e0e52b5728b471ab1d68cf42116aed9705af44a3de94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 13271e2971396b51eb44a792548f2d68
SHA1 aee8546164f8f5128150b7a45f7256cd48cefaab
SHA256 4b25f9ade7d90f8cb816946b1e12fc74fd0d3421c51112857dddd03f3fc04fff
SHA512 83cafe8f1229d99c063193d51f34e780f1ade0e6e6471ba9119613c79308670adcf76f19d9b3212a0ce3fab1e715a277b78a132bfbbad1fac75d5b5491283e35

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 01:26

Reported

2024-01-04 01:30

Platform

win10v2004-20231215-en

Max time kernel

196s

Max time network

212s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

"C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe"

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 4988 /protectFile

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

"C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe" /watchProcess "C:\Users\Admin\AppData\Local\Temp\24db4a99eb4c717414edcab0792214608a2a80cea641a19749d3485dc6711a18.exe" 4988 "/protectFile"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 kissmyasshole.myddns.me udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 89.232.195.236:6666 kissmyasshole.myddns.me tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 236.195.232.89.in-addr.arpa udp
RU 89.232.195.236:6666 kissmyasshole.myddns.me tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
RU 89.232.195.236:6666 kissmyasshole.myddns.me tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 kissmyasshole.myddns.me udp
RU 89.232.195.236:6666 kissmyasshole.myddns.me tcp

Files

memory/4988-0-0x000001EEBEC40000-0x000001EEBEF3A000-memory.dmp

memory/4988-1-0x000001EEC0A90000-0x000001EEC0AEC000-memory.dmp

memory/4988-2-0x000001EEC0C10000-0x000001EEC0C1E000-memory.dmp

memory/4988-3-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp

memory/4988-4-0x000001EED9660000-0x000001EED9670000-memory.dmp

memory/4988-5-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp

memory/4988-6-0x000001EED94A0000-0x000001EED94B2000-memory.dmp

memory/4988-7-0x000001EED94B0000-0x000001EED9508000-memory.dmp

memory/4988-8-0x000001EED9660000-0x000001EED9670000-memory.dmp

memory/4988-9-0x000001EED98A0000-0x000001EED98B8000-memory.dmp

memory/4988-10-0x000001EED98D0000-0x000001EED98E0000-memory.dmp

memory/4988-11-0x000001EED9AB0000-0x000001EED9C72000-memory.dmp

memory/1264-14-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

memory/1264-26-0x0000028E54160000-0x0000028E54170000-memory.dmp

memory/1628-27-0x0000000000B80000-0x0000000000B88000-memory.dmp

memory/1628-28-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1628-32-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1192-31-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1264-34-0x00007FFC08EE0000-0x00007FFC099A1000-memory.dmp

memory/1192-35-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/4988-38-0x000001EEDA0A0000-0x000001EEDA0B2000-memory.dmp

memory/4988-39-0x000001EEDA100000-0x000001EEDA13C000-memory.dmp

memory/4988-40-0x000001EEDA250000-0x000001EEDA35A000-memory.dmp