Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-12b63ada99
Target 6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4
SHA256 6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4

Threat Level: Known bad

The file 6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4 was found to be: Known bad.

Malicious Activity Summary

persistence

Modifies WinLogon for persistence

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:08

Reported

2024-04-06 22:11

Platform

win10v2004-20240226-en

Max time kernel

199s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\xdccPrograms\7z.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX5A1F.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\javac.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\OSE.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\idlj.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\setup.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\OSE.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\dotnet.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\sIRC4.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX58E4.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\extcheck.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\extcheck.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\jar.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\dotnet.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\java.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX5992.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\TabTip.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\TabTip.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\createdump.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\iexplore.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\idlj.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\7zG.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX5943.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\sIRC4.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\7z.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\mip.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\LICLUA.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\LICLUA.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\chrome.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe

"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2100-0-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2100-1-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/2100-2-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/2100-4-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/2100-3-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2100-6-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2100-9-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2100-8-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2100-7-0x0000000001010000-0x0000000001011000-memory.dmp

memory/2100-5-0x0000000001000000-0x0000000001001000-memory.dmp

C:\Windows\SysWOW64\xdccPrograms\7z.exe

MD5 92976b31ca7336df8c3d5bbb4b133e54
SHA1 f43d4c80f8897f3d59f10aaf51bdf3b2b0cffc94
SHA256 24bdf9e06a65cda1507e664461a12b8bc9a33951963c52c98a0ebc540a23a620
SHA512 194efa414ecc455d5ca56606d557ccebe6298b4001e6bb8823576fdbcbcdcf06c2e7e338346f687fc319371014c9054443ae5af9f2548ef814a49ec15e903a23

memory/2100-31-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2100-32-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2100-33-0x0000000000400000-0x0000000000D43000-memory.dmp

C:\Windows\SysWOW64\DC++ Share\RCX5992.tmp

MD5 ffe62649cbbdc2c74ee3961eed9378aa
SHA1 8d4c1dc8fc6ba6898dd559f6ed2d1469a61fe243
SHA256 207e92bbc717799a25106e1f2bb8ff5a96e55584c27fcf9a7d985979880163ba
SHA512 fd2b4dda8ec57962ed2de8ebe33b8c514191237bcbe34262f72e07d0c78ee652b39a3204318ad26658f1bb043aad073f02637db75791b97121c6c514614431d5

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:08

Reported

2024-04-06 22:10

Platform

win7-20240220-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\extcheck.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\java.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\7zFM.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\apt.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX14ED.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\javap.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\TabTip.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\setup.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX140F.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\sIRC4.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\idlj.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\sIRC4.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX1450.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\jar.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\javah.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\javaws.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\7z.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\master_prefere.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\javap.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\7zG.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\javaw.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX15C9.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\setup.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\master_prefere.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX143F.tmp C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\javaws.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\mip.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\7zG.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\apt.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\idlj.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\jar.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\DC++ Share\javac.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\javac.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File opened for modification C:\Windows\SysWOW64\DC++ Share\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A
File created C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe

"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"

Network

N/A

Files

memory/2356-0-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2356-5-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2356-3-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-7-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2356-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2356-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2356-38-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2356-36-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2356-33-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2356-31-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2356-28-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2356-26-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2356-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2356-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2356-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2356-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2356-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2356-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2356-12-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

MD5 a3cf5226334f832e4e923895b4b1dc78
SHA1 9b11246e3220110b1f76a7881dd0cbe442047b31
SHA256 0616ede66ac8698ae3fe6b21f7bd39b8ec9c65bd4baf184c16a032ca23ba8084
SHA512 598544955ea4185fd5bea48788250f112d12e1881ed5276c07752e837c4663a428e9453fb89f0e81aa70757e1697ce03b96337fdb67cdae885167230e9c876b1

C:\Windows\SysWOW64\DC++ Share\RCX140F.tmp

MD5 4d98dcee1bfaee6b1e48efad371af4b8
SHA1 dfaf735d8c50c621ef974f9b3f27d85ed24c649d
SHA256 e9fbec5209aa746c6e2a8044172133668eaad214371617ab0dcbc3787b4892b8
SHA512 19c4fdab3737e58a8a778ca5514db7e85cc1c15080644707b9e345ea5a4f2ed43891fc994b059adb2ea74e4737e5c25cc2285a6392fd2ecf355197712f312897

memory/2356-160-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-161-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-162-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2356-163-0x0000000000400000-0x0000000000D43000-memory.dmp