Analysis Overview
SHA256
88298903d11f433f1885306c3f4f4f7233e5b4edddbf89374b689dc0be730206
Threat Level: Known bad
The file d6fc4895775aafffbd52cb8e9e731824.bin was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-11 04:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-11 04:40
Reported
2024-02-11 04:42
Platform
win7-20231215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2020 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | C:\Windows\Explorer.EXE |
| PID 2144 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3028 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif |
| PID 3028 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe
"C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 29428
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 29428\Structure.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bowling + Micro + Britney 29428\J
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
29428\Structure.pif 29428\J
C:\Windows\SysWOW64\PING.EXE
ping -n 15 localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays
| MD5 | 60a0a998ac721ce59926c350c1cfa346 |
| SHA1 | 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2 |
| SHA256 | 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38 |
| SHA512 | 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks
| MD5 | e0ee57b3d753dba0d3a58379968e19c9 |
| SHA1 | 7cb2bd6f3bab50a9836a620610d8e47459445ab0 |
| SHA256 | 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5 |
| SHA512 | 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen
| MD5 | cadf612984ebd5ecd45906b805ffe46c |
| SHA1 | 1b53b6b2a843e6d05678356664be82b0317a3c1a |
| SHA256 | 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909 |
| SHA512 | d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary
| MD5 | 90114130f88ac2fb224c689998e124ce |
| SHA1 | df94c44b1ceae98749237fae6ac07092fc4c6099 |
| SHA256 | 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff |
| SHA512 | 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps
| MD5 | 43819522acece762a7389a5683136c4d |
| SHA1 | b3ff7cf638094690347653f613d5cac9913fbd68 |
| SHA256 | eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b |
| SHA512 | 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive
| MD5 | 029325f8240d37784f57441b3176163c |
| SHA1 | bd61a35e87d9e579e3f14f1912437ac91568e969 |
| SHA256 | 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb |
| SHA512 | 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling
| MD5 | 51269b2f02dba8f71d9fa5a2a7119642 |
| SHA1 | 6502d3e85e61fd6cb03f68525bd92682e0de6198 |
| SHA256 | 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f |
| SHA512 | 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro
| MD5 | 16c7e782af3a480cf58b2f67f47a637c |
| SHA1 | f23178c12ada8993410e8f1a59a1e271879d5977 |
| SHA256 | ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4 |
| SHA512 | 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney
| MD5 | afdc4a4520d5dc1c3dd70fda304c9aa9 |
| SHA1 | 914ee920b6e037a42e3b522d89909ae1d899197a |
| SHA256 | c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7 |
| SHA512 | efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\Structure.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29428\J
| MD5 | 9e026102dd03937a6464c85c69a2383f |
| SHA1 | 520325a083a63ee251284fa447acb52f8004ce53 |
| SHA256 | 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759 |
| SHA512 | 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77 |
memory/3028-33-0x0000000077750000-0x0000000077826000-memory.dmp
memory/3028-37-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2020-39-0x0000000000080000-0x0000000000108000-memory.dmp
memory/2020-40-0x0000000000080000-0x0000000000108000-memory.dmp
memory/2020-43-0x0000000000080000-0x0000000000108000-memory.dmp
memory/2020-44-0x0000000000080000-0x0000000000108000-memory.dmp
memory/2020-45-0x00000000030C0000-0x00000000034C0000-memory.dmp
memory/2020-47-0x00000000030C0000-0x00000000034C0000-memory.dmp
memory/2020-46-0x00000000030C0000-0x00000000034C0000-memory.dmp
memory/2020-48-0x0000000077560000-0x0000000077709000-memory.dmp
memory/2020-49-0x00000000030C0000-0x00000000034C0000-memory.dmp
memory/2020-51-0x0000000076840000-0x0000000076887000-memory.dmp
memory/1752-52-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2020-54-0x00000000030C0000-0x00000000034C0000-memory.dmp
memory/1752-55-0x0000000001C00000-0x0000000002000000-memory.dmp
memory/1752-56-0x0000000077560000-0x0000000077709000-memory.dmp
memory/1752-57-0x0000000001C00000-0x0000000002000000-memory.dmp
memory/1752-59-0x0000000077560000-0x0000000077709000-memory.dmp
memory/1752-60-0x0000000076840000-0x0000000076887000-memory.dmp
memory/1752-61-0x0000000001C00000-0x0000000002000000-memory.dmp
memory/2144-70-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2144-69-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2144-71-0x0000000077560000-0x0000000077709000-memory.dmp
memory/2144-74-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2144-77-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2144-73-0x0000000076840000-0x0000000076887000-memory.dmp
memory/1440-78-0x0000000001C60000-0x0000000002060000-memory.dmp
memory/1440-79-0x0000000001C60000-0x0000000002060000-memory.dmp
memory/1440-81-0x0000000001C60000-0x0000000002060000-memory.dmp
memory/1440-80-0x0000000077560000-0x0000000077709000-memory.dmp
memory/1440-83-0x0000000077560000-0x0000000077709000-memory.dmp
memory/1440-84-0x0000000076840000-0x0000000076887000-memory.dmp
memory/1440-85-0x0000000001C60000-0x0000000002060000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-11 04:40
Reported
2024-02-11 04:42
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 848 created 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | C:\Windows\system32\sihost.exe |
| PID 1036 created 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4944 set thread context of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif |
| PID 4944 set thread context of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe
"C:\Users\Admin\AppData\Local\Temp\a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 29438
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 29438\Structure.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bowling + Micro + Britney 29438\J
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
29438\Structure.pif 29438\J
C:\Windows\SysWOW64\PING.EXE
ping -n 15 localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 848 -ip 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 432
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 1036
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1036 -ip 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 432
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays
| MD5 | 60a0a998ac721ce59926c350c1cfa346 |
| SHA1 | 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2 |
| SHA256 | 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38 |
| SHA512 | 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks
| MD5 | e0ee57b3d753dba0d3a58379968e19c9 |
| SHA1 | 7cb2bd6f3bab50a9836a620610d8e47459445ab0 |
| SHA256 | 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5 |
| SHA512 | 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary
| MD5 | 90114130f88ac2fb224c689998e124ce |
| SHA1 | df94c44b1ceae98749237fae6ac07092fc4c6099 |
| SHA256 | 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff |
| SHA512 | 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive
| MD5 | 029325f8240d37784f57441b3176163c |
| SHA1 | bd61a35e87d9e579e3f14f1912437ac91568e969 |
| SHA256 | 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb |
| SHA512 | 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps
| MD5 | 43819522acece762a7389a5683136c4d |
| SHA1 | b3ff7cf638094690347653f613d5cac9913fbd68 |
| SHA256 | eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b |
| SHA512 | 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen
| MD5 | cadf612984ebd5ecd45906b805ffe46c |
| SHA1 | 1b53b6b2a843e6d05678356664be82b0317a3c1a |
| SHA256 | 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909 |
| SHA512 | d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling
| MD5 | 51269b2f02dba8f71d9fa5a2a7119642 |
| SHA1 | 6502d3e85e61fd6cb03f68525bd92682e0de6198 |
| SHA256 | 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f |
| SHA512 | 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro
| MD5 | 16c7e782af3a480cf58b2f67f47a637c |
| SHA1 | f23178c12ada8993410e8f1a59a1e271879d5977 |
| SHA256 | ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4 |
| SHA512 | 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney
| MD5 | afdc4a4520d5dc1c3dd70fda304c9aa9 |
| SHA1 | 914ee920b6e037a42e3b522d89909ae1d899197a |
| SHA256 | c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7 |
| SHA512 | efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
| MD5 | 52fdcc6257df74b280ab474e2981b342 |
| SHA1 | b0a1dad3915f04391c67faa762cab32df21b655c |
| SHA256 | a7e7eaf50bcf21cf726aac26d318a74e6b4ef7366ed0cad0e499c3c2eb112c43 |
| SHA512 | c2ddaeeac1cb3c82d270a2a936bb247ca0fbe01b25b0e429be11adceabbaac0e571375fe53197dfaa110c17c001980266fb3bc4c0ecaa2408116430588e35639 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\J
| MD5 | 9e026102dd03937a6464c85c69a2383f |
| SHA1 | 520325a083a63ee251284fa447acb52f8004ce53 |
| SHA256 | 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759 |
| SHA512 | 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77 |
memory/4944-32-0x00000000774F1000-0x0000000077611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29438\Structure.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/4944-37-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/848-38-0x0000000000710000-0x0000000000798000-memory.dmp
memory/848-39-0x0000000000710000-0x0000000000798000-memory.dmp
memory/848-41-0x0000000000710000-0x0000000000798000-memory.dmp
memory/848-42-0x0000000003BC0000-0x0000000003FC0000-memory.dmp
memory/848-43-0x0000000003BC0000-0x0000000003FC0000-memory.dmp
memory/848-44-0x0000000003BC0000-0x0000000003FC0000-memory.dmp
memory/848-45-0x00007FF86F730000-0x00007FF86F925000-memory.dmp
memory/848-47-0x0000000003BC0000-0x0000000003FC0000-memory.dmp
memory/848-48-0x0000000075D50000-0x0000000075F65000-memory.dmp
memory/3424-49-0x0000000000C20000-0x0000000000C29000-memory.dmp
memory/3424-52-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/3424-51-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/3424-53-0x00007FF86F730000-0x00007FF86F925000-memory.dmp
memory/3424-55-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/3424-56-0x0000000075D50000-0x0000000075F65000-memory.dmp
memory/3424-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/848-58-0x0000000003BC0000-0x0000000003FC0000-memory.dmp
memory/1036-60-0x0000000000D10000-0x0000000000D98000-memory.dmp
memory/1036-63-0x0000000000D10000-0x0000000000D98000-memory.dmp
memory/1036-64-0x0000000000D10000-0x0000000000D98000-memory.dmp
memory/1036-67-0x0000000004270000-0x0000000004670000-memory.dmp
memory/1036-66-0x0000000004270000-0x0000000004670000-memory.dmp
memory/1036-68-0x00007FF86F730000-0x00007FF86F925000-memory.dmp
memory/1036-69-0x0000000004270000-0x0000000004670000-memory.dmp
memory/1036-71-0x0000000075D50000-0x0000000075F65000-memory.dmp
memory/2856-74-0x00000000023D0000-0x00000000027D0000-memory.dmp
memory/2856-75-0x00000000023D0000-0x00000000027D0000-memory.dmp
memory/2856-76-0x00007FF86F730000-0x00007FF86F925000-memory.dmp
memory/2856-78-0x00000000023D0000-0x00000000027D0000-memory.dmp
memory/2856-79-0x0000000075D50000-0x0000000075F65000-memory.dmp
memory/1036-80-0x0000000004270000-0x0000000004670000-memory.dmp
memory/2856-81-0x00000000023D0000-0x00000000027D0000-memory.dmp