Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-p3atvaaf74
Target MsgDiyer.exe
SHA256 7b6e4e165649e15323e01bb38124e14899e720ca7d2cf743a4ee166199c3fa79
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b6e4e165649e15323e01bb38124e14899e720ca7d2cf743a4ee166199c3fa79

Threat Level: Shows suspicious behavior

The file MsgDiyer.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:50

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:50

Reported

2024-05-10 12:53

Platform

win7-20240221-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\calibrib.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\CURLZ___.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\kalinga.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\SHOWG.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\arial.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\OLDENGL.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\LTYPEB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\angsaz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GLSNECB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\RAVIE.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\segoeprb.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\constanb.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\msgothic.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\plantc.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\upckbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ARIALN.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\PAPYRUS.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ITCBLKAD.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\mriam.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\tungab.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\upcji.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BRUSHSCI.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\calibri.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GILB____.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\HARNGTON.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BELLI.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\SCRIPTBL.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\trebucbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\upcibi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BOD_I.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\CHILLER.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\MAIAN.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Vanib.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\corbelb.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\gisha.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\iskpota.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ROCKBI.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\simhei.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\verdana.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\aparaj.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BOD_B.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\browaub.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\mingliu.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\cambria.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\courbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\FRADMIT.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GLECB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ONYX.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\WINGDNG2.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\framdit.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\angsau.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ANTQUAB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\simsunb.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\MTCORSVA.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\upcil.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BSSYM7.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\comic.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GIGI.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\LTYPE.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BAUHS93.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\estre.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\PERB____.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\webdings.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\AGENCYR.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe

"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c jieya.cmd

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe

cpio.exe -i

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x00000000009FD000-memory.dmp

memory/2172-1-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\jieya.cmd

MD5 bf80c4e2a7662ca4790e5eb2b94deb63
SHA1 7f4034ca5069a398b1fecc20076d20227629aa77
SHA256 af18207cb457354b44fa00be373e7a4506e34f1d777be842d75f72f769108a55
SHA512 f6dda989804faf8f5362ca55a3080a724a2ad6aa586cf820bd86ad2975e84d07fe9b56e0f41404aebf377db8770eb665a289e4884e5445ac6c567666e15275d8

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\msg

MD5 968c337d23ea50d0f052438a6f0551ad
SHA1 c9e7472dd013cb5b059566bd8c49a0459dbd977a
SHA256 44e48f412fc1b7bb31786f3680cddbf98f5b22603bfb4a32918ba83f21db28b8
SHA512 a770b3d3b3cf724aa3f3bb59b0f8c7cf19dfed8d05fc1089733fe1626ec69c931e0849d96097437625a3965278c8c60a2421ce860348c38409d8eac8ca30d983

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe

MD5 bf4826e42d3f7a0f663178d97b2bd923
SHA1 fc8db6821d8400efdcabb58a89f17413c1d0c986
SHA256 34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922
SHA512 8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll

MD5 d202baa425176287017ffe1fb5d1b77c
SHA1 192e597d8ff0192f6c4e4643361f84277ed51121
SHA256 f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0
SHA512 706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll

MD5 b6a9e9e63a6cbfc6a593493c943938cb
SHA1 8145e25be5d15ef3105073265ee05f04d836cd82
SHA256 72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff
SHA512 7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5

memory/2536-53-0x0000000060E40000-0x0000000060E5D000-memory.dmp

memory/2536-52-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2536-54-0x0000000068080000-0x0000000068174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\16x16.fnt

MD5 8f64119f1795aef752fa9456946159e7
SHA1 eac57164e63db3838c79362fe7f548f166048e2d
SHA256 89fa6c39de2e6b79c1a182e7f87529a6583a05fd032bbb46f85070f6ce19afde
SHA512 bdb1f07c9d2a9fcafde463095386a53ccdfdaf05fb8166e7628be8f569aa57b686c314edac231714678749d3ffaf18982ec437c6f36492bf92629f3ffc259d7c

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\gfxboot.cfg

MD5 f4b957cf633b256498cf476be34a6fa0
SHA1 7fa4bf5d3267216974b063ea9306ce6da730adc8
SHA256 95a408d57193b1ff25726060c7a1c1bdb0e5fbbbbd43a53d9460a2215d261532
SHA512 9885f2d6161b0f395bfad1fe66ce493956a599120395c09207574ac1cd599b3dfbd2a1087169cc4c237e28ddd1fdbcb035b5a04c85c47290523fed2a88b4fe2a

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\back.jpg

MD5 668884fb8d4f5e33e7940a8cfb6ea853
SHA1 a92d4446f84c9a09af2f12cf2e6c1cb9abc8f1bc
SHA256 bef03bd75cfd3e7a9eda6e48acfd61a43f70d77a61c392ad0690d1b769e0d369
SHA512 a08d0a0e94dc7e7f4859bd6dbe1544ae984ddf477bf77a60ab9417c1f6ddb7051ceaa0594faa4bfdf69e90a5cb2a75d023440ba1fb9d9688c47efb9bf3962fd9

memory/2172-1332-0x0000000000400000-0x00000000009FD000-memory.dmp

memory/2172-1334-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:50

Reported

2024-05-10 12:53

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\PAPYRUS.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\WINGDNG2.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\msgothic.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\msjhl.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\MTEXTRA.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\mvboli.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\palabi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\mingliub.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\segoesc.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ARIALNB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\courbd.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\gadugib.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GOTHICB.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\micross.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Gabriola.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\msyh.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\verdanai.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ARIALNBI.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Candara.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Candarab.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Candaraz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\couri.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\YuGothL.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\consola.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\constani.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\corbelli.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\courbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\DUBAI-MEDIUM.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\segoescb.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\WINGDNG3.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ariblk.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Candaral.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\georgiai.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\LEELAWAD.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\malgunbd.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\ARIALN.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\calibriz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\georgiaz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GOTHIC.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\seguihis.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\seguisbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\trebucbi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\calibrii.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\DUBAI-BOLD.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\gadugi.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\GARA.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\pala.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\verdanab.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\seguisym.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\trebucit.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BKANT.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\BSSYM7.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\comic.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\consolaz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\seguisli.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\YuGothM.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\calibrib.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\constanz.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\MISTRAL.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\phagspa.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\Sitka.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\constan.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\corbell.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A
File created C:\Windows\Fonts\LeelUIsl.fot C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe

"C:\Users\Admin\AppData\Local\Temp\MsgDiyer.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jieya.cmd

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe

cpio.exe -i

Network

Country Destination Domain Proto
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/1788-0-0x0000000000400000-0x00000000009FD000-memory.dmp

memory/1788-1-0x00000000029F0000-0x00000000029F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\jieya.cmd

MD5 bf80c4e2a7662ca4790e5eb2b94deb63
SHA1 7f4034ca5069a398b1fecc20076d20227629aa77
SHA256 af18207cb457354b44fa00be373e7a4506e34f1d777be842d75f72f769108a55
SHA512 f6dda989804faf8f5362ca55a3080a724a2ad6aa586cf820bd86ad2975e84d07fe9b56e0f41404aebf377db8770eb665a289e4884e5445ac6c567666e15275d8

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\msg

MD5 968c337d23ea50d0f052438a6f0551ad
SHA1 c9e7472dd013cb5b059566bd8c49a0459dbd977a
SHA256 44e48f412fc1b7bb31786f3680cddbf98f5b22603bfb4a32918ba83f21db28b8
SHA512 a770b3d3b3cf724aa3f3bb59b0f8c7cf19dfed8d05fc1089733fe1626ec69c931e0849d96097437625a3965278c8c60a2421ce860348c38409d8eac8ca30d983

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\cpio.exe

MD5 bf4826e42d3f7a0f663178d97b2bd923
SHA1 fc8db6821d8400efdcabb58a89f17413c1d0c986
SHA256 34b18b2cdd21efbf6954fa0f9042d2967fdc22b2cbaa8a72b5a0e2cb2123b922
SHA512 8615e8af72e0762983d623c727e94712ba237b942a24f7811c741d9feb94ed035e95d23252e3aad771578a92fe0725c044411ea49ae7c81843efdc6959b93e18

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libintl3.dll

MD5 d202baa425176287017ffe1fb5d1b77c
SHA1 192e597d8ff0192f6c4e4643361f84277ed51121
SHA256 f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0
SHA512 706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\libiconv2.dll

MD5 b6a9e9e63a6cbfc6a593493c943938cb
SHA1 8145e25be5d15ef3105073265ee05f04d836cd82
SHA256 72d73c3238e92208269b9d401b4598987116ea4fcafd91e249b3b9b558d022ff
SHA512 7a7f49811a1e0cbe0060a7334898ca6cfb9cc63f3c76af64445d178d46fad18db6fad024a84f284a2ee2170aa2d38fd79d925d1cc25592a77eeee9aec15567e5

memory/1584-48-0x0000000068080000-0x0000000068174000-memory.dmp

memory/1584-47-0x0000000060E40000-0x0000000060E5D000-memory.dmp

memory/1584-46-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\16x16.fnt

MD5 8f64119f1795aef752fa9456946159e7
SHA1 eac57164e63db3838c79362fe7f548f166048e2d
SHA256 89fa6c39de2e6b79c1a182e7f87529a6583a05fd032bbb46f85070f6ce19afde
SHA512 bdb1f07c9d2a9fcafde463095386a53ccdfdaf05fb8166e7628be8f569aa57b686c314edac231714678749d3ffaf18982ec437c6f36492bf92629f3ffc259d7c

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\back.jpg

MD5 668884fb8d4f5e33e7940a8cfb6ea853
SHA1 a92d4446f84c9a09af2f12cf2e6c1cb9abc8f1bc
SHA256 bef03bd75cfd3e7a9eda6e48acfd61a43f70d77a61c392ad0690d1b769e0d369
SHA512 a08d0a0e94dc7e7f4859bd6dbe1544ae984ddf477bf77a60ab9417c1f6ddb7051ceaa0594faa4bfdf69e90a5cb2a75d023440ba1fb9d9688c47efb9bf3962fd9

C:\Users\Admin\AppData\Local\Temp\MsgMTemp\gfxboot.cfg

MD5 f4b957cf633b256498cf476be34a6fa0
SHA1 7fa4bf5d3267216974b063ea9306ce6da730adc8
SHA256 95a408d57193b1ff25726060c7a1c1bdb0e5fbbbbd43a53d9460a2215d261532
SHA512 9885f2d6161b0f395bfad1fe66ce493956a599120395c09207574ac1cd599b3dfbd2a1087169cc4c237e28ddd1fdbcb035b5a04c85c47290523fed2a88b4fe2a

memory/1788-621-0x0000000000400000-0x00000000009FD000-memory.dmp

memory/1788-623-0x00000000029F0000-0x00000000029F1000-memory.dmp