Malware Analysis Report

2024-11-30 05:14

Sample ID 240520-s5bqpsgf3x
Target Cutor2.rar
SHA256 770085623b4d362d143b631396d03255197cdfdff9b239a4668e75a611e0cc53
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

770085623b4d362d143b631396d03255197cdfdff9b239a4668e75a611e0cc53

Threat Level: Known bad

The file Cutor2.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Runs ping.exe

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 15:42

Signatures

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Coverage

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Coverage

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

100s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Describes

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Describes

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Following

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Following

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cutor2.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cutor2.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cutor.exe"

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Cutor.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4528 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4528 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif
PID 4528 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif
PID 4528 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif
PID 4528 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4528 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4528 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 297852

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 297852\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif

297852\Journals.pif 297852\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 NQjeNdVADsUyMtAGmp.NQjeNdVADsUyMtAGmp udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 employeedscratshj.shop udp
US 172.67.186.163:443 employeedscratshj.shop tcp
US 8.8.8.8:53 sofaprivateawarderysj.shop udp
US 8.8.8.8:53 lineagelasserytailsd.shop udp
US 8.8.8.8:53 tendencyportionjsuk.shop udp
US 8.8.8.8:53 headraisepresidensu.shop udp
US 8.8.8.8:53 appetitesallooonsj.shop udp
US 8.8.8.8:53 minorittyeffeoos.shop udp
US 8.8.8.8:53 prideconstituiiosjk.shop udp
US 8.8.8.8:53 smallelementyjdui.shop udp
US 8.8.8.8:53 163.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mountain

MD5 1f442fb73d09d937f6bcc25652658aa8
SHA1 7d47f3e5573bf12843b9fb8df0a7ecdde10c9dc7
SHA256 9b66a4edacc06979e23b7a267eb01e704710dcd2160ac6df16fa2823b1fdf459
SHA512 da8c9bbad6be295b3cde5f44db858d2b5a03c2acde0f9f9b582ecb7203b77853916d9d22ebb2056e53d96746e9f3dd7e89616d6cca01fb39744128e4fadac1d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Roulette

MD5 b307bbe071e0eac1ef58ae91b18f9756
SHA1 0ad6b3ec67d3393ccf7e2921273da467fb07748c
SHA256 c016da1246b29af5e0b39e560c2ff04970aa5811daf59de3325457aa277f3b4e
SHA512 e4c5739e03fc24abf1a3afa0852157809fb80e9d72732c3c7a2867470dd81cb41bad22249fa78a0dd6333bb2d8629d29490e3407f12c180684fc6a6be0496b54

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Oils

MD5 073f9e2c594b99cfb7ba3880aa680f20
SHA1 84e31597a55f99f7e9322353116c2168ddbf3e9f
SHA256 e3446f9e24cdc1dade438588b8f6a82b5d66baace47736bfc21212f05d83254d
SHA512 7cca73ff39e3c24f281999a1f9c28609c18550af3db0ba5d0bea74aeaa6d570737d9bbc01f3a89de5d934cf8894e75fd81832ac39ae3d59659810e41f5113fa4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sperm

MD5 8b7cd805746dd7d542f11521108000cf
SHA1 560df5a1f4cf97c1686235687082ca84dcc09238
SHA256 7ea7b24c9a43fd3c499254e03b090d3ae9003f4ec7069519e2b88a79cca5e410
SHA512 8a5225600e0dd9cb9a8d31d67379cd865a730b0802f83f336f30945bea42fc008ade55083b5ddd008d34343c5cb7bfcbdfd9bf8aba27f87865bac50d595b26c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Arrives

MD5 473722f790596c4d6b159fcd8a4dadef
SHA1 20271a29dcab261fee279401cba6b0bab3dc2ef2
SHA256 a33baf56fe478318a92035b652b7a7a63721aa119b355fb07e4c2bc3c405cd54
SHA512 338337b9d4645580816abb2a042e2698b2cd698d36475d66f88ba461a6d51bc0899fdb36acd3bb944fa35aeec4d3d816eb386e2bc87de771527da415fd89c194

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Price

MD5 39418d72162b9df1140a89f2f76305a4
SHA1 632d7ec32c9957e6ca6189dbc7336684c38c5c95
SHA256 01fe66fbc940d38ed886c76d4ebf634b94a20f51c074dff3f79994fb0af5fda6
SHA512 d88a5ba614f49473bbc0a2fc4eb3d408a78396467c42a6d525304772266c8f01d0bdfa27fc9e0a8373d02e97d2b8662c1e26d9e5d0b98cdc2ffbf7ea4c5ec33a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Return

MD5 8a1020709bd28304d685a6f2bd995f10
SHA1 f9d5fda4d34eee658b275b08ff33a82a4b29173a
SHA256 b675e5376289d1b683b513d0dc51aef7441d29467f31ffa63f23c8ce7c0b530e
SHA512 ba74fd5d9630d8b6a5177454025123c5c4e5fc486a73bb6734f2de01a308610b537ffa7a063642187dab68fec3a9908fc1859424cdf735007bbd8aa8687f462c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Immune

MD5 45ceb552adc3a75aa55a5d7d78b8c0d7
SHA1 fc584a0cd566842eb236c9c3b2635d2d4b97a5a9
SHA256 dd816a6509a6845e44384860fda4dcad095fac1fb9fdd2e8cceb74fb224dcc91
SHA512 39bfb1470e2cc31127f654a07a17827ba19d6aed1c6108a27dffb8d2bf00ccad8124417f662fe714a30461147d4f860ea97f3e45d26c3df5aa266774a73f82e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Corresponding

MD5 24f764a45140ae61b291022b188cad50
SHA1 ff59085b23c849d589360dc19df2aa82c5032bd0
SHA256 eb85a752452828fe7e83d18dcaa80fdd81b416a3cef1429a8765228bf889738e
SHA512 3fd4f1e7c9214687c99400a951101c194067c01fb79107a3381d5c122900571b0a064548a4f9065b2dc14dbe01b8bf871afc860123408ade78a52a22c28bd122

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spice

MD5 b06d471853c6da37b444d76be3b6ecfc
SHA1 8c2a438aa36f0d8f1cec0b31da0a29b14a812497
SHA256 a2bd59c5f2c04de8d9c33bdef220d6f4a187cd81079cf0b2c93a56fa941d707e
SHA512 654ec116606ed2c6d93a3b769efaab8abcf5510d9b8f3a72af127badebff4d5bee089ce4439cef37e8ec5cd758698978a9674d72b94a309a04096d8402223179

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blond

MD5 499020d7a6695730ade820ec473a7014
SHA1 8dbe5dd49c6b527426c41eb8f75c66cc525e8d07
SHA256 7b6044b2f019eb7161602f2b177ef387ea22a5fd498f2262e671e6bf1c0418d5
SHA512 273c79a06188de53dfeeaad4ee682ffd6afdc255b28df77e867bef2ddfd44528035cd61732192d7cd76359ac71b9e08c4a3cb94368eed8dd07c5a208c74f54da

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sucking

MD5 56938cf26450118dad55a15254f72f97
SHA1 ed5a4bb79709dac97dc477fa1d648349272aa7a5
SHA256 6540e092e2faa60fe480d81d59e34dd88c13876bef37830e2206bfb59ce9132c
SHA512 5dcd81b1ce7c59cf02e0cc0981d39d4888da6a7ccb0c818a095a4ac9244fd01a78d513198b04b4be867f2574c26bd17b450da2bcdcc30dce9a3de4075f9bc682

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Following

MD5 82d51a65bbe96f2f9e8e7b6cfb333282
SHA1 e8633d184ee93e8792c3ea8b4c1563a126d2dbfc
SHA256 654f10643984ab084893f728bf2e713a432a164d97b29e718dfd018d2acece7a
SHA512 782b892afbc79ccdfecec5072a96e209b6097d116401fe648dedfad06bd7117011af2fc4032976a0b3c6d5e97f29eb2c34e54020dc0bb8c60fdc9596d1abe46b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scientists

MD5 0e5323e41231d475a85eb34008564de9
SHA1 e1200348bb64a087bca0a2dd98559455f506c1b7
SHA256 586162f22f885c94ee84600d8f7682b71b0808473d8eaa43b3215ba110eea9d5
SHA512 783a80bb025cde2c408cb70e84fe8795955fb6553b43c89f3c5915194e4890493aa1069f3bf055ae2a52837474c31eae08b7839d7b109b3d25012199efe8d647

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Referral

MD5 4cbdbdebd19893c381833152e5e19e56
SHA1 2169c833e64ac99c3bfc03747b97e6a44dd55d8c
SHA256 03030ce5872c5919ebab051e61af997c80465f002678c50af377b016b65f2645
SHA512 7779e03a9a1ef90134778a9df83229064c0fa6c912ebf62183d5e9af7d5d21767a90eef0495608d832f40fa098692d32d22243bbf4aa892d6e8ae2d3c0d6b74e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Provisions

MD5 be14b60d3523be659afe7c53a2a9aa49
SHA1 299a05f78861186ee0c74855f790446d72a25c83
SHA256 20415ec7bf6a4dcbd66a4b5cf66767adfcac2a59c8cb1327feee264ef6d683c3
SHA512 296e5df4f94e3b7f02f6943fa80f35dda72951e64732e60f913d7560e6ffb3288c4c3f388c6fab505479114e163f5ef360828dfc66ba3510d6c576b2d71c4ffc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rich

MD5 2c56890263ecb94d2205c8f3fbff85e4
SHA1 a76fa63a6705f9def165271e85360a44c9a30f76
SHA256 7fccc2c8e04bcfeaf347efecb73db0f2d59ecc961e09b789f5e672148142a01b
SHA512 9268d4256566239e1bb557098cb5d00de1b7b4298d00bfe56bfccf3016c8f6ba42921bd182fe744619a6876a498117eceaf8a3c0db4bf6f90026b614e7f0b184

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wed

MD5 40b80c470cf945e5e6c9a00a42ee88e3
SHA1 5fe2646ab8100f8beae82c5492d70665a912f1b5
SHA256 cb7045844af5ed931d7359025b91defd249491b9838ccfee52f8845d582d6076
SHA512 678b0248cb9e676979dfb1b578d9e8cba412d9e10dcce5937df1c52340c549e2e8e4f3cca5f052d9538f1072c46e1a62628da3e6adc28f51818b6860f669d417

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sale

MD5 f60ab8cf18169eb48aa133662c841964
SHA1 7eb62ede0f1080f08455c4a3752eab265cf9cc8d
SHA256 438eb080850f59ad18a338d7d2a5e2d495c7f58370366819031831a6baf2d1e5
SHA512 0f9c1c5921a58675a6502e148ba997d6852e479ca8690f274017e85cc91bb1a378bf53c4695a0237b003051e5cbe48fc6c611e8555e0970907d5925c18186349

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Principal

MD5 0177f90b037f9f9ba5c331a8d7d7eb59
SHA1 ecb1458679725cd7c05c3bc7f2daf00970ffc44e
SHA256 7a75623c96b9700b77159cc729b105b127673cb326dc95d124d9e6da1049305e
SHA512 a9907c2a3688974e595eb48b68e95b857450f1995852c08b322ae38f902cabced37ffb254d8b8dad6a301ccf50cc6bf7a8c9a0dea95213b1c728d6702bb14f46

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Demonstrates

MD5 e08e5bf768a64fe55414a7efe75bb98e
SHA1 1a4131e823a04c34bb877e1bd2da4747f88c36e6
SHA256 5f9e851b902ead6c553929b0747a2e4038c0d47a1a9679b0e66186fcbdcf4145
SHA512 920c6db4296d4384d9368313aa9d00d93da69305836cf497bfa864f5907f892b51d6917bd20cf881ed91ac08ad2f3d7768f6dcaf29a4c0c62c526a16eb1653d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wedding

MD5 a6916adaee9f6cd664646c133fe21adc
SHA1 eec52f456e83c3e1bd3cb44078fd626f1595285d
SHA256 921695f853705f15c057ee9bcb88163143430f5218eadd65ffa685974bc239ba
SHA512 89c27fab7e1fb34deff313fcdeb3071cf38c3122217fbf2f7adc85c1a6ace34736c50cdaeb8d39e1addebc534456ad346a3892c6c2d63ced2ef53284790c79b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kay

MD5 9e77f9fc5c1bbae0ade16a1dd8effb21
SHA1 dd769a5be09309f4f21e06d04d68185d624195ac
SHA256 e3e1f7fb978a9ed404525039fafaf519f0d414a44ddae7e3acd92ad3d3bc11fa
SHA512 d04227ffddb76b7ef4e311096ea192252c53be5dfcac97441cddd7be52d056a6dcab4be594ef4d40ed10b45dc50c0f8ac6b0db8dad4a375baa7296e2c15b13d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Walls

MD5 84d1975124695d39a9ed377145e65ef7
SHA1 5cfb122165e5030b6f42442f4d843017de51ebd6
SHA256 910a7915baf6b38abcc2346b6d9aca1967c62d6fe6276474e779c376984bebda
SHA512 f658e2aad732bfd898252029ad928e623a2944f38ed4d2a9f24babc6f6c977c44d168477e51b9b5d9cd4fa5be962b516c7f9b71551759791774a700355f4879e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aspect

MD5 156462caf2897d681dad8fe61d1c7279
SHA1 a7ed61c1abf6256a339247d5212624d06497051d
SHA256 a4d6fcc99632d1ede57a38043e46f4a0e6d60edc10d388acf47de7f186810d6d
SHA512 c09be41bdd19d22dc9d7d8259116a1c98f5a37819ac4ea45b4230ca093b34784f397d523fc5ae5f644aa3a35750e0c570af01ef94d34b060da5d18c19a30fd67

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coverage

MD5 d51d5baf2c9751a080d23ca1d67fc877
SHA1 4e03ddd85f9a93d666093fff94296a1e8119b492
SHA256 e66104a1f8fa1926811e2c82f16a415584732d80c984bc95472d26663355130f
SHA512 048eabdff052549ea0005096109a155e3cbb3cb55e45e7a6b4813637b7390f56f605083c352ad01171c275e1e8a1305d1ed4bc3dd62af15bda2e68bfcceeef85

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\K

MD5 f9596ddb1d9b538409e412b39569212e
SHA1 99de9993abb4c4480061a00e3b7a7e0ec9c18efa
SHA256 8c9328d2260c23517a1835f80946bf9e2e21db5265905484e0ac4d8b888a6162
SHA512 f2fea44814a21507108169f82222a8725fe464c28126edb6edac227f138b406af0d7a19a69738ed3dc7326a44432d93be5124eaad2410c44c54b1e61dbef1afb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quotations

MD5 2d7d4d7423acbccfce375010af3bfe95
SHA1 7164bc8fa3a08eaccb1441ee00dc0df595e79e35
SHA256 5098e9326c80f53dcafba899fa500a68823d33df64c9641d2b7b4b3551af1b32
SHA512 1c50f366c452dc84aa42b0c69e90b4de97942869da4f465b267a81af2fc37ab6815d2c454038861d38105890fb3962f0f50365cd77dc298c1609377e5349aaec

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spots

MD5 6534ef16cc3db989801dab27ce49df95
SHA1 e2df162e54d2a601ce6af9af1ffe7e0b8dfd5fd6
SHA256 3152a116e9ad00bbd28af33f9f90c18e7703b9df822fa6af720397c3f8ae6e79
SHA512 17174c0412df108cce6efdf944ccc334d699cee8ffc1c42023d25b235e1460a7e329cc453c35b78e19a827a13e4b62ae121aba7dcd71bf6c5d1fd4e3716642be

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bone

MD5 124e240a6529b61f018b30adac17553d
SHA1 950077be632fde663aacf7636a0ece5c918d2f63
SHA256 70e4f36876b997f504b67027be7bb02d9fb5faecf014f603cbe7d5e640631994
SHA512 c57ccf9cdcce52cc197fdba2586e9e924823b74cc8491e1cafdf9d74069aa13d4a5dcedaa80804456885bb9fca7ea8beb4a5ebe1ef15c0fb91f5fe127324ab8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Personnel

MD5 588fc6008acff48bb6638695bcf6f1b0
SHA1 9292a8d099705f171df67fe90ee89bd856abf5df
SHA256 9c0eb0254a68fd60b04489af0bd9615d91a6c1c189af0c457c258c886afd8931
SHA512 1068d494de53e441ee7e89c29062acaf6f966ec53541c0dca79f7660b13d0c7f40c04f17c23928eab548cb5700123f94b60f90f9b9ecc3e35780e3fb9877b804

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Describes

MD5 dab205ef316a75b18e861f7a867e0989
SHA1 650f9b788b6213225dc0f8d21236d1b06bde4fc9
SHA256 a14ab8b356d3d939c5b2283e3cda3af305d4107e7f178c852e0680457acc269e
SHA512 365fa6a6b20c940cee09294c5bfd35c52928874532a5b27e73891a498f1463d84fa0305b2d6a721f67bc39b828379eacfa092df664f73a8f863ae39ef7ae4d8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Watson

MD5 7aa422834f47f989ad74fb8a87de4225
SHA1 5b94537ea7df76b5b6a70aab1078623198ec2d2f
SHA256 79012da4bd552682d1635fa3fa33209f75bf059c7f63c0ab727ae72fa92f1332
SHA512 d1560c003880da5a030107030504cba01efd0829e5fbf24037145b131752b91c7b295999a0123a87094889cf086f0214fb6efe67bd27faa185b6a38a9b51efca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\Journals.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\297852\O

MD5 46191d9919762445f6246396127d6d86
SHA1 1387f35b5fe3f56402c89444f2e74b0f5d5b4e42
SHA256 7bbe5eb8ffb88fc4e9872cfaa467cf8d41f37466c078fc403f163030abf7c507
SHA512 cc898c08a711d4e5163576d2737735d2f0cb042c87e9e09abe1d3c27751024f9f90314e9dc4d65821d18cf5da1fd592a14f216ba84ec24db119b380644cee736

memory/4764-667-0x0000000004700000-0x0000000004757000-memory.dmp

memory/4764-668-0x0000000004700000-0x0000000004757000-memory.dmp

memory/4764-669-0x0000000004700000-0x0000000004757000-memory.dmp

memory/4764-670-0x0000000004700000-0x0000000004757000-memory.dmp

memory/4764-671-0x0000000004700000-0x0000000004757000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Blond

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Blond

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

106s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Bone

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Bone

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Coverage

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Coverage

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cutor2.rar

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2968 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2968 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2584 wrote to memory of 2684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe
PID 2584 wrote to memory of 2684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe
PID 2584 wrote to memory of 2684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe
PID 2584 wrote to memory of 2684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe
PID 2684 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1744 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1744 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif
PID 1744 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif
PID 1744 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif
PID 1744 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif
PID 1744 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2584 wrote to memory of 2500 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe
PID 2584 wrote to memory of 2500 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe
PID 2584 wrote to memory of 2500 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe
PID 2584 wrote to memory of 2500 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe
PID 2500 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2376 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2376 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2376 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2376 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cutor2.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cutor2.rar"

C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\7zO81A5D156\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 298542

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 298542\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif

298542\Journals.pif 298542\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\7zO81A031B6\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 298802

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 298802\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298802\Journals.pif

298802\Journals.pif 298802\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\7zO81A37096\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\7zO81A37096\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Users\Admin\AppData\Local\Temp\7zO81A0D696\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\7zO81A0D696\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 299062

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 299062\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299062\Journals.pif

299062\Journals.pif 299062\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 299132

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 299132\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\299132\Journals.pif

299132\Journals.pif 299132\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 NQjeNdVADsUyMtAGmp.NQjeNdVADsUyMtAGmp udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mountain

MD5 1f442fb73d09d937f6bcc25652658aa8
SHA1 7d47f3e5573bf12843b9fb8df0a7ecdde10c9dc7
SHA256 9b66a4edacc06979e23b7a267eb01e704710dcd2160ac6df16fa2823b1fdf459
SHA512 da8c9bbad6be295b3cde5f44db858d2b5a03c2acde0f9f9b582ecb7203b77853916d9d22ebb2056e53d96746e9f3dd7e89616d6cca01fb39744128e4fadac1d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Roulette

MD5 b307bbe071e0eac1ef58ae91b18f9756
SHA1 0ad6b3ec67d3393ccf7e2921273da467fb07748c
SHA256 c016da1246b29af5e0b39e560c2ff04970aa5811daf59de3325457aa277f3b4e
SHA512 e4c5739e03fc24abf1a3afa0852157809fb80e9d72732c3c7a2867470dd81cb41bad22249fa78a0dd6333bb2d8629d29490e3407f12c180684fc6a6be0496b54

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oils

MD5 073f9e2c594b99cfb7ba3880aa680f20
SHA1 84e31597a55f99f7e9322353116c2168ddbf3e9f
SHA256 e3446f9e24cdc1dade438588b8f6a82b5d66baace47736bfc21212f05d83254d
SHA512 7cca73ff39e3c24f281999a1f9c28609c18550af3db0ba5d0bea74aeaa6d570737d9bbc01f3a89de5d934cf8894e75fd81832ac39ae3d59659810e41f5113fa4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sperm

MD5 8b7cd805746dd7d542f11521108000cf
SHA1 560df5a1f4cf97c1686235687082ca84dcc09238
SHA256 7ea7b24c9a43fd3c499254e03b090d3ae9003f4ec7069519e2b88a79cca5e410
SHA512 8a5225600e0dd9cb9a8d31d67379cd865a730b0802f83f336f30945bea42fc008ade55083b5ddd008d34343c5cb7bfcbdfd9bf8aba27f87865bac50d595b26c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Arrives

MD5 473722f790596c4d6b159fcd8a4dadef
SHA1 20271a29dcab261fee279401cba6b0bab3dc2ef2
SHA256 a33baf56fe478318a92035b652b7a7a63721aa119b355fb07e4c2bc3c405cd54
SHA512 338337b9d4645580816abb2a042e2698b2cd698d36475d66f88ba461a6d51bc0899fdb36acd3bb944fa35aeec4d3d816eb386e2bc87de771527da415fd89c194

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Price

MD5 39418d72162b9df1140a89f2f76305a4
SHA1 632d7ec32c9957e6ca6189dbc7336684c38c5c95
SHA256 01fe66fbc940d38ed886c76d4ebf634b94a20f51c074dff3f79994fb0af5fda6
SHA512 d88a5ba614f49473bbc0a2fc4eb3d408a78396467c42a6d525304772266c8f01d0bdfa27fc9e0a8373d02e97d2b8662c1e26d9e5d0b98cdc2ffbf7ea4c5ec33a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Return

MD5 8a1020709bd28304d685a6f2bd995f10
SHA1 f9d5fda4d34eee658b275b08ff33a82a4b29173a
SHA256 b675e5376289d1b683b513d0dc51aef7441d29467f31ffa63f23c8ce7c0b530e
SHA512 ba74fd5d9630d8b6a5177454025123c5c4e5fc486a73bb6734f2de01a308610b537ffa7a063642187dab68fec3a9908fc1859424cdf735007bbd8aa8687f462c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Immune

MD5 45ceb552adc3a75aa55a5d7d78b8c0d7
SHA1 fc584a0cd566842eb236c9c3b2635d2d4b97a5a9
SHA256 dd816a6509a6845e44384860fda4dcad095fac1fb9fdd2e8cceb74fb224dcc91
SHA512 39bfb1470e2cc31127f654a07a17827ba19d6aed1c6108a27dffb8d2bf00ccad8124417f662fe714a30461147d4f860ea97f3e45d26c3df5aa266774a73f82e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Corresponding

MD5 24f764a45140ae61b291022b188cad50
SHA1 ff59085b23c849d589360dc19df2aa82c5032bd0
SHA256 eb85a752452828fe7e83d18dcaa80fdd81b416a3cef1429a8765228bf889738e
SHA512 3fd4f1e7c9214687c99400a951101c194067c01fb79107a3381d5c122900571b0a064548a4f9065b2dc14dbe01b8bf871afc860123408ade78a52a22c28bd122

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spice

MD5 b06d471853c6da37b444d76be3b6ecfc
SHA1 8c2a438aa36f0d8f1cec0b31da0a29b14a812497
SHA256 a2bd59c5f2c04de8d9c33bdef220d6f4a187cd81079cf0b2c93a56fa941d707e
SHA512 654ec116606ed2c6d93a3b769efaab8abcf5510d9b8f3a72af127badebff4d5bee089ce4439cef37e8ec5cd758698978a9674d72b94a309a04096d8402223179

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blond

MD5 499020d7a6695730ade820ec473a7014
SHA1 8dbe5dd49c6b527426c41eb8f75c66cc525e8d07
SHA256 7b6044b2f019eb7161602f2b177ef387ea22a5fd498f2262e671e6bf1c0418d5
SHA512 273c79a06188de53dfeeaad4ee682ffd6afdc255b28df77e867bef2ddfd44528035cd61732192d7cd76359ac71b9e08c4a3cb94368eed8dd07c5a208c74f54da

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sucking

MD5 56938cf26450118dad55a15254f72f97
SHA1 ed5a4bb79709dac97dc477fa1d648349272aa7a5
SHA256 6540e092e2faa60fe480d81d59e34dd88c13876bef37830e2206bfb59ce9132c
SHA512 5dcd81b1ce7c59cf02e0cc0981d39d4888da6a7ccb0c818a095a4ac9244fd01a78d513198b04b4be867f2574c26bd17b450da2bcdcc30dce9a3de4075f9bc682

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scientists

MD5 0e5323e41231d475a85eb34008564de9
SHA1 e1200348bb64a087bca0a2dd98559455f506c1b7
SHA256 586162f22f885c94ee84600d8f7682b71b0808473d8eaa43b3215ba110eea9d5
SHA512 783a80bb025cde2c408cb70e84fe8795955fb6553b43c89f3c5915194e4890493aa1069f3bf055ae2a52837474c31eae08b7839d7b109b3d25012199efe8d647

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Referral

MD5 4cbdbdebd19893c381833152e5e19e56
SHA1 2169c833e64ac99c3bfc03747b97e6a44dd55d8c
SHA256 03030ce5872c5919ebab051e61af997c80465f002678c50af377b016b65f2645
SHA512 7779e03a9a1ef90134778a9df83229064c0fa6c912ebf62183d5e9af7d5d21767a90eef0495608d832f40fa098692d32d22243bbf4aa892d6e8ae2d3c0d6b74e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Following

MD5 82d51a65bbe96f2f9e8e7b6cfb333282
SHA1 e8633d184ee93e8792c3ea8b4c1563a126d2dbfc
SHA256 654f10643984ab084893f728bf2e713a432a164d97b29e718dfd018d2acece7a
SHA512 782b892afbc79ccdfecec5072a96e209b6097d116401fe648dedfad06bd7117011af2fc4032976a0b3c6d5e97f29eb2c34e54020dc0bb8c60fdc9596d1abe46b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Provisions

MD5 be14b60d3523be659afe7c53a2a9aa49
SHA1 299a05f78861186ee0c74855f790446d72a25c83
SHA256 20415ec7bf6a4dcbd66a4b5cf66767adfcac2a59c8cb1327feee264ef6d683c3
SHA512 296e5df4f94e3b7f02f6943fa80f35dda72951e64732e60f913d7560e6ffb3288c4c3f388c6fab505479114e163f5ef360828dfc66ba3510d6c576b2d71c4ffc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wed

MD5 40b80c470cf945e5e6c9a00a42ee88e3
SHA1 5fe2646ab8100f8beae82c5492d70665a912f1b5
SHA256 cb7045844af5ed931d7359025b91defd249491b9838ccfee52f8845d582d6076
SHA512 678b0248cb9e676979dfb1b578d9e8cba412d9e10dcce5937df1c52340c549e2e8e4f3cca5f052d9538f1072c46e1a62628da3e6adc28f51818b6860f669d417

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sale

MD5 f60ab8cf18169eb48aa133662c841964
SHA1 7eb62ede0f1080f08455c4a3752eab265cf9cc8d
SHA256 438eb080850f59ad18a338d7d2a5e2d495c7f58370366819031831a6baf2d1e5
SHA512 0f9c1c5921a58675a6502e148ba997d6852e479ca8690f274017e85cc91bb1a378bf53c4695a0237b003051e5cbe48fc6c611e8555e0970907d5925c18186349

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rich

MD5 2c56890263ecb94d2205c8f3fbff85e4
SHA1 a76fa63a6705f9def165271e85360a44c9a30f76
SHA256 7fccc2c8e04bcfeaf347efecb73db0f2d59ecc961e09b789f5e672148142a01b
SHA512 9268d4256566239e1bb557098cb5d00de1b7b4298d00bfe56bfccf3016c8f6ba42921bd182fe744619a6876a498117eceaf8a3c0db4bf6f90026b614e7f0b184

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Demonstrates

MD5 e08e5bf768a64fe55414a7efe75bb98e
SHA1 1a4131e823a04c34bb877e1bd2da4747f88c36e6
SHA256 5f9e851b902ead6c553929b0747a2e4038c0d47a1a9679b0e66186fcbdcf4145
SHA512 920c6db4296d4384d9368313aa9d00d93da69305836cf497bfa864f5907f892b51d6917bd20cf881ed91ac08ad2f3d7768f6dcaf29a4c0c62c526a16eb1653d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Principal

MD5 0177f90b037f9f9ba5c331a8d7d7eb59
SHA1 ecb1458679725cd7c05c3bc7f2daf00970ffc44e
SHA256 7a75623c96b9700b77159cc729b105b127673cb326dc95d124d9e6da1049305e
SHA512 a9907c2a3688974e595eb48b68e95b857450f1995852c08b322ae38f902cabced37ffb254d8b8dad6a301ccf50cc6bf7a8c9a0dea95213b1c728d6702bb14f46

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wedding

MD5 a6916adaee9f6cd664646c133fe21adc
SHA1 eec52f456e83c3e1bd3cb44078fd626f1595285d
SHA256 921695f853705f15c057ee9bcb88163143430f5218eadd65ffa685974bc239ba
SHA512 89c27fab7e1fb34deff313fcdeb3071cf38c3122217fbf2f7adc85c1a6ace34736c50cdaeb8d39e1addebc534456ad346a3892c6c2d63ced2ef53284790c79b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kay

MD5 9e77f9fc5c1bbae0ade16a1dd8effb21
SHA1 dd769a5be09309f4f21e06d04d68185d624195ac
SHA256 e3e1f7fb978a9ed404525039fafaf519f0d414a44ddae7e3acd92ad3d3bc11fa
SHA512 d04227ffddb76b7ef4e311096ea192252c53be5dfcac97441cddd7be52d056a6dcab4be594ef4d40ed10b45dc50c0f8ac6b0db8dad4a375baa7296e2c15b13d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Aspect

MD5 156462caf2897d681dad8fe61d1c7279
SHA1 a7ed61c1abf6256a339247d5212624d06497051d
SHA256 a4d6fcc99632d1ede57a38043e46f4a0e6d60edc10d388acf47de7f186810d6d
SHA512 c09be41bdd19d22dc9d7d8259116a1c98f5a37819ac4ea45b4230ca093b34784f397d523fc5ae5f644aa3a35750e0c570af01ef94d34b060da5d18c19a30fd67

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spots

MD5 6534ef16cc3db989801dab27ce49df95
SHA1 e2df162e54d2a601ce6af9af1ffe7e0b8dfd5fd6
SHA256 3152a116e9ad00bbd28af33f9f90c18e7703b9df822fa6af720397c3f8ae6e79
SHA512 17174c0412df108cce6efdf944ccc334d699cee8ffc1c42023d25b235e1460a7e329cc453c35b78e19a827a13e4b62ae121aba7dcd71bf6c5d1fd4e3716642be

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Quotations

MD5 2d7d4d7423acbccfce375010af3bfe95
SHA1 7164bc8fa3a08eaccb1441ee00dc0df595e79e35
SHA256 5098e9326c80f53dcafba899fa500a68823d33df64c9641d2b7b4b3551af1b32
SHA512 1c50f366c452dc84aa42b0c69e90b4de97942869da4f465b267a81af2fc37ab6815d2c454038861d38105890fb3962f0f50365cd77dc298c1609377e5349aaec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\K

MD5 f9596ddb1d9b538409e412b39569212e
SHA1 99de9993abb4c4480061a00e3b7a7e0ec9c18efa
SHA256 8c9328d2260c23517a1835f80946bf9e2e21db5265905484e0ac4d8b888a6162
SHA512 f2fea44814a21507108169f82222a8725fe464c28126edb6edac227f138b406af0d7a19a69738ed3dc7326a44432d93be5124eaad2410c44c54b1e61dbef1afb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coverage

MD5 d51d5baf2c9751a080d23ca1d67fc877
SHA1 4e03ddd85f9a93d666093fff94296a1e8119b492
SHA256 e66104a1f8fa1926811e2c82f16a415584732d80c984bc95472d26663355130f
SHA512 048eabdff052549ea0005096109a155e3cbb3cb55e45e7a6b4813637b7390f56f605083c352ad01171c275e1e8a1305d1ed4bc3dd62af15bda2e68bfcceeef85

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Walls

MD5 84d1975124695d39a9ed377145e65ef7
SHA1 5cfb122165e5030b6f42442f4d843017de51ebd6
SHA256 910a7915baf6b38abcc2346b6d9aca1967c62d6fe6276474e779c376984bebda
SHA512 f658e2aad732bfd898252029ad928e623a2944f38ed4d2a9f24babc6f6c977c44d168477e51b9b5d9cd4fa5be962b516c7f9b71551759791774a700355f4879e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bone

MD5 124e240a6529b61f018b30adac17553d
SHA1 950077be632fde663aacf7636a0ece5c918d2f63
SHA256 70e4f36876b997f504b67027be7bb02d9fb5faecf014f603cbe7d5e640631994
SHA512 c57ccf9cdcce52cc197fdba2586e9e924823b74cc8491e1cafdf9d74069aa13d4a5dcedaa80804456885bb9fca7ea8beb4a5ebe1ef15c0fb91f5fe127324ab8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Personnel

MD5 588fc6008acff48bb6638695bcf6f1b0
SHA1 9292a8d099705f171df67fe90ee89bd856abf5df
SHA256 9c0eb0254a68fd60b04489af0bd9615d91a6c1c189af0c457c258c886afd8931
SHA512 1068d494de53e441ee7e89c29062acaf6f966ec53541c0dca79f7660b13d0c7f40c04f17c23928eab548cb5700123f94b60f90f9b9ecc3e35780e3fb9877b804

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Watson

MD5 7aa422834f47f989ad74fb8a87de4225
SHA1 5b94537ea7df76b5b6a70aab1078623198ec2d2f
SHA256 79012da4bd552682d1635fa3fa33209f75bf059c7f63c0ab727ae72fa92f1332
SHA512 d1560c003880da5a030107030504cba01efd0829e5fbf24037145b131752b91c7b295999a0123a87094889cf086f0214fb6efe67bd27faa185b6a38a9b51efca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Describes

MD5 dab205ef316a75b18e861f7a867e0989
SHA1 650f9b788b6213225dc0f8d21236d1b06bde4fc9
SHA256 a14ab8b356d3d939c5b2283e3cda3af305d4107e7f178c852e0680457acc269e
SHA512 365fa6a6b20c940cee09294c5bfd35c52928874532a5b27e73891a498f1463d84fa0305b2d6a721f67bc39b828379eacfa092df664f73a8f863ae39ef7ae4d8b

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\Journals.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\298542\O

MD5 46191d9919762445f6246396127d6d86
SHA1 1387f35b5fe3f56402c89444f2e74b0f5d5b4e42
SHA256 7bbe5eb8ffb88fc4e9872cfaa467cf8d41f37466c078fc403f163030abf7c507
SHA512 cc898c08a711d4e5163576d2737735d2f0cb042c87e9e09abe1d3c27751024f9f90314e9dc4d65821d18cf5da1fd592a14f216ba84ec24db119b380644cee736

memory/1868-1366-0x0000000003A50000-0x0000000003AA7000-memory.dmp

memory/1868-1370-0x0000000003A50000-0x0000000003AA7000-memory.dmp

memory/1868-1369-0x0000000003A50000-0x0000000003AA7000-memory.dmp

memory/1868-1368-0x0000000003A50000-0x0000000003AA7000-memory.dmp

memory/1868-1367-0x0000000003A50000-0x0000000003AA7000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Blond

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Blond

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Corresponding

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Corresponding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

113s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Demonstrates

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Demonstrates

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Bone

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Bone

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Corresponding

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Corresponding

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

108s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Immune

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Immune

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

132s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\K

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\K

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3848,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Arrives

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Arrives

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.171:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Describes

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Describes

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Demonstrates

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Demonstrates

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Mountain

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Mountain

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Mountain

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Mountain

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Oils

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Oils

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Kay

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Kay

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Following

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Following

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Oils

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Oils

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cutor.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Cutor.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2552 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2552 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif
PID 2552 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif
PID 2552 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif
PID 2552 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif
PID 2552 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2552 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2552 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2552 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Cutor.exe

"C:\Users\Admin\AppData\Local\Temp\Cutor.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Mountain Mountain.cmd & Mountain.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 297892

C:\Windows\SysWOW64\findstr.exe

findstr /V "mjscheduledkindspsychology" Roulette

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Bone + Personnel + Watson + Describes 297892\O

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif

297892\Journals.pif 297892\O

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 NQjeNdVADsUyMtAGmp.NQjeNdVADsUyMtAGmp udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mountain

MD5 1f442fb73d09d937f6bcc25652658aa8
SHA1 7d47f3e5573bf12843b9fb8df0a7ecdde10c9dc7
SHA256 9b66a4edacc06979e23b7a267eb01e704710dcd2160ac6df16fa2823b1fdf459
SHA512 da8c9bbad6be295b3cde5f44db858d2b5a03c2acde0f9f9b582ecb7203b77853916d9d22ebb2056e53d96746e9f3dd7e89616d6cca01fb39744128e4fadac1d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Roulette

MD5 b307bbe071e0eac1ef58ae91b18f9756
SHA1 0ad6b3ec67d3393ccf7e2921273da467fb07748c
SHA256 c016da1246b29af5e0b39e560c2ff04970aa5811daf59de3325457aa277f3b4e
SHA512 e4c5739e03fc24abf1a3afa0852157809fb80e9d72732c3c7a2867470dd81cb41bad22249fa78a0dd6333bb2d8629d29490e3407f12c180684fc6a6be0496b54

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oils

MD5 073f9e2c594b99cfb7ba3880aa680f20
SHA1 84e31597a55f99f7e9322353116c2168ddbf3e9f
SHA256 e3446f9e24cdc1dade438588b8f6a82b5d66baace47736bfc21212f05d83254d
SHA512 7cca73ff39e3c24f281999a1f9c28609c18550af3db0ba5d0bea74aeaa6d570737d9bbc01f3a89de5d934cf8894e75fd81832ac39ae3d59659810e41f5113fa4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sperm

MD5 8b7cd805746dd7d542f11521108000cf
SHA1 560df5a1f4cf97c1686235687082ca84dcc09238
SHA256 7ea7b24c9a43fd3c499254e03b090d3ae9003f4ec7069519e2b88a79cca5e410
SHA512 8a5225600e0dd9cb9a8d31d67379cd865a730b0802f83f336f30945bea42fc008ade55083b5ddd008d34343c5cb7bfcbdfd9bf8aba27f87865bac50d595b26c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Arrives

MD5 473722f790596c4d6b159fcd8a4dadef
SHA1 20271a29dcab261fee279401cba6b0bab3dc2ef2
SHA256 a33baf56fe478318a92035b652b7a7a63721aa119b355fb07e4c2bc3c405cd54
SHA512 338337b9d4645580816abb2a042e2698b2cd698d36475d66f88ba461a6d51bc0899fdb36acd3bb944fa35aeec4d3d816eb386e2bc87de771527da415fd89c194

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Price

MD5 39418d72162b9df1140a89f2f76305a4
SHA1 632d7ec32c9957e6ca6189dbc7336684c38c5c95
SHA256 01fe66fbc940d38ed886c76d4ebf634b94a20f51c074dff3f79994fb0af5fda6
SHA512 d88a5ba614f49473bbc0a2fc4eb3d408a78396467c42a6d525304772266c8f01d0bdfa27fc9e0a8373d02e97d2b8662c1e26d9e5d0b98cdc2ffbf7ea4c5ec33a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Return

MD5 8a1020709bd28304d685a6f2bd995f10
SHA1 f9d5fda4d34eee658b275b08ff33a82a4b29173a
SHA256 b675e5376289d1b683b513d0dc51aef7441d29467f31ffa63f23c8ce7c0b530e
SHA512 ba74fd5d9630d8b6a5177454025123c5c4e5fc486a73bb6734f2de01a308610b537ffa7a063642187dab68fec3a9908fc1859424cdf735007bbd8aa8687f462c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Immune

MD5 45ceb552adc3a75aa55a5d7d78b8c0d7
SHA1 fc584a0cd566842eb236c9c3b2635d2d4b97a5a9
SHA256 dd816a6509a6845e44384860fda4dcad095fac1fb9fdd2e8cceb74fb224dcc91
SHA512 39bfb1470e2cc31127f654a07a17827ba19d6aed1c6108a27dffb8d2bf00ccad8124417f662fe714a30461147d4f860ea97f3e45d26c3df5aa266774a73f82e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Corresponding

MD5 24f764a45140ae61b291022b188cad50
SHA1 ff59085b23c849d589360dc19df2aa82c5032bd0
SHA256 eb85a752452828fe7e83d18dcaa80fdd81b416a3cef1429a8765228bf889738e
SHA512 3fd4f1e7c9214687c99400a951101c194067c01fb79107a3381d5c122900571b0a064548a4f9065b2dc14dbe01b8bf871afc860123408ade78a52a22c28bd122

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spice

MD5 b06d471853c6da37b444d76be3b6ecfc
SHA1 8c2a438aa36f0d8f1cec0b31da0a29b14a812497
SHA256 a2bd59c5f2c04de8d9c33bdef220d6f4a187cd81079cf0b2c93a56fa941d707e
SHA512 654ec116606ed2c6d93a3b769efaab8abcf5510d9b8f3a72af127badebff4d5bee089ce4439cef37e8ec5cd758698978a9674d72b94a309a04096d8402223179

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blond

MD5 499020d7a6695730ade820ec473a7014
SHA1 8dbe5dd49c6b527426c41eb8f75c66cc525e8d07
SHA256 7b6044b2f019eb7161602f2b177ef387ea22a5fd498f2262e671e6bf1c0418d5
SHA512 273c79a06188de53dfeeaad4ee682ffd6afdc255b28df77e867bef2ddfd44528035cd61732192d7cd76359ac71b9e08c4a3cb94368eed8dd07c5a208c74f54da

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Following

MD5 82d51a65bbe96f2f9e8e7b6cfb333282
SHA1 e8633d184ee93e8792c3ea8b4c1563a126d2dbfc
SHA256 654f10643984ab084893f728bf2e713a432a164d97b29e718dfd018d2acece7a
SHA512 782b892afbc79ccdfecec5072a96e209b6097d116401fe648dedfad06bd7117011af2fc4032976a0b3c6d5e97f29eb2c34e54020dc0bb8c60fdc9596d1abe46b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sucking

MD5 56938cf26450118dad55a15254f72f97
SHA1 ed5a4bb79709dac97dc477fa1d648349272aa7a5
SHA256 6540e092e2faa60fe480d81d59e34dd88c13876bef37830e2206bfb59ce9132c
SHA512 5dcd81b1ce7c59cf02e0cc0981d39d4888da6a7ccb0c818a095a4ac9244fd01a78d513198b04b4be867f2574c26bd17b450da2bcdcc30dce9a3de4075f9bc682

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Referral

MD5 4cbdbdebd19893c381833152e5e19e56
SHA1 2169c833e64ac99c3bfc03747b97e6a44dd55d8c
SHA256 03030ce5872c5919ebab051e61af997c80465f002678c50af377b016b65f2645
SHA512 7779e03a9a1ef90134778a9df83229064c0fa6c912ebf62183d5e9af7d5d21767a90eef0495608d832f40fa098692d32d22243bbf4aa892d6e8ae2d3c0d6b74e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Aspect

MD5 156462caf2897d681dad8fe61d1c7279
SHA1 a7ed61c1abf6256a339247d5212624d06497051d
SHA256 a4d6fcc99632d1ede57a38043e46f4a0e6d60edc10d388acf47de7f186810d6d
SHA512 c09be41bdd19d22dc9d7d8259116a1c98f5a37819ac4ea45b4230ca093b34784f397d523fc5ae5f644aa3a35750e0c570af01ef94d34b060da5d18c19a30fd67

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coverage

MD5 d51d5baf2c9751a080d23ca1d67fc877
SHA1 4e03ddd85f9a93d666093fff94296a1e8119b492
SHA256 e66104a1f8fa1926811e2c82f16a415584732d80c984bc95472d26663355130f
SHA512 048eabdff052549ea0005096109a155e3cbb3cb55e45e7a6b4813637b7390f56f605083c352ad01171c275e1e8a1305d1ed4bc3dd62af15bda2e68bfcceeef85

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Walls

MD5 84d1975124695d39a9ed377145e65ef7
SHA1 5cfb122165e5030b6f42442f4d843017de51ebd6
SHA256 910a7915baf6b38abcc2346b6d9aca1967c62d6fe6276474e779c376984bebda
SHA512 f658e2aad732bfd898252029ad928e623a2944f38ed4d2a9f24babc6f6c977c44d168477e51b9b5d9cd4fa5be962b516c7f9b71551759791774a700355f4879e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kay

MD5 9e77f9fc5c1bbae0ade16a1dd8effb21
SHA1 dd769a5be09309f4f21e06d04d68185d624195ac
SHA256 e3e1f7fb978a9ed404525039fafaf519f0d414a44ddae7e3acd92ad3d3bc11fa
SHA512 d04227ffddb76b7ef4e311096ea192252c53be5dfcac97441cddd7be52d056a6dcab4be594ef4d40ed10b45dc50c0f8ac6b0db8dad4a375baa7296e2c15b13d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wedding

MD5 a6916adaee9f6cd664646c133fe21adc
SHA1 eec52f456e83c3e1bd3cb44078fd626f1595285d
SHA256 921695f853705f15c057ee9bcb88163143430f5218eadd65ffa685974bc239ba
SHA512 89c27fab7e1fb34deff313fcdeb3071cf38c3122217fbf2f7adc85c1a6ace34736c50cdaeb8d39e1addebc534456ad346a3892c6c2d63ced2ef53284790c79b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Demonstrates

MD5 e08e5bf768a64fe55414a7efe75bb98e
SHA1 1a4131e823a04c34bb877e1bd2da4747f88c36e6
SHA256 5f9e851b902ead6c553929b0747a2e4038c0d47a1a9679b0e66186fcbdcf4145
SHA512 920c6db4296d4384d9368313aa9d00d93da69305836cf497bfa864f5907f892b51d6917bd20cf881ed91ac08ad2f3d7768f6dcaf29a4c0c62c526a16eb1653d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Principal

MD5 0177f90b037f9f9ba5c331a8d7d7eb59
SHA1 ecb1458679725cd7c05c3bc7f2daf00970ffc44e
SHA256 7a75623c96b9700b77159cc729b105b127673cb326dc95d124d9e6da1049305e
SHA512 a9907c2a3688974e595eb48b68e95b857450f1995852c08b322ae38f902cabced37ffb254d8b8dad6a301ccf50cc6bf7a8c9a0dea95213b1c728d6702bb14f46

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rich

MD5 2c56890263ecb94d2205c8f3fbff85e4
SHA1 a76fa63a6705f9def165271e85360a44c9a30f76
SHA256 7fccc2c8e04bcfeaf347efecb73db0f2d59ecc961e09b789f5e672148142a01b
SHA512 9268d4256566239e1bb557098cb5d00de1b7b4298d00bfe56bfccf3016c8f6ba42921bd182fe744619a6876a498117eceaf8a3c0db4bf6f90026b614e7f0b184

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wed

MD5 40b80c470cf945e5e6c9a00a42ee88e3
SHA1 5fe2646ab8100f8beae82c5492d70665a912f1b5
SHA256 cb7045844af5ed931d7359025b91defd249491b9838ccfee52f8845d582d6076
SHA512 678b0248cb9e676979dfb1b578d9e8cba412d9e10dcce5937df1c52340c549e2e8e4f3cca5f052d9538f1072c46e1a62628da3e6adc28f51818b6860f669d417

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sale

MD5 f60ab8cf18169eb48aa133662c841964
SHA1 7eb62ede0f1080f08455c4a3752eab265cf9cc8d
SHA256 438eb080850f59ad18a338d7d2a5e2d495c7f58370366819031831a6baf2d1e5
SHA512 0f9c1c5921a58675a6502e148ba997d6852e479ca8690f274017e85cc91bb1a378bf53c4695a0237b003051e5cbe48fc6c611e8555e0970907d5925c18186349

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Provisions

MD5 be14b60d3523be659afe7c53a2a9aa49
SHA1 299a05f78861186ee0c74855f790446d72a25c83
SHA256 20415ec7bf6a4dcbd66a4b5cf66767adfcac2a59c8cb1327feee264ef6d683c3
SHA512 296e5df4f94e3b7f02f6943fa80f35dda72951e64732e60f913d7560e6ffb3288c4c3f388c6fab505479114e163f5ef360828dfc66ba3510d6c576b2d71c4ffc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scientists

MD5 0e5323e41231d475a85eb34008564de9
SHA1 e1200348bb64a087bca0a2dd98559455f506c1b7
SHA256 586162f22f885c94ee84600d8f7682b71b0808473d8eaa43b3215ba110eea9d5
SHA512 783a80bb025cde2c408cb70e84fe8795955fb6553b43c89f3c5915194e4890493aa1069f3bf055ae2a52837474c31eae08b7839d7b109b3d25012199efe8d647

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\K

MD5 f9596ddb1d9b538409e412b39569212e
SHA1 99de9993abb4c4480061a00e3b7a7e0ec9c18efa
SHA256 8c9328d2260c23517a1835f80946bf9e2e21db5265905484e0ac4d8b888a6162
SHA512 f2fea44814a21507108169f82222a8725fe464c28126edb6edac227f138b406af0d7a19a69738ed3dc7326a44432d93be5124eaad2410c44c54b1e61dbef1afb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Quotations

MD5 2d7d4d7423acbccfce375010af3bfe95
SHA1 7164bc8fa3a08eaccb1441ee00dc0df595e79e35
SHA256 5098e9326c80f53dcafba899fa500a68823d33df64c9641d2b7b4b3551af1b32
SHA512 1c50f366c452dc84aa42b0c69e90b4de97942869da4f465b267a81af2fc37ab6815d2c454038861d38105890fb3962f0f50365cd77dc298c1609377e5349aaec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spots

MD5 6534ef16cc3db989801dab27ce49df95
SHA1 e2df162e54d2a601ce6af9af1ffe7e0b8dfd5fd6
SHA256 3152a116e9ad00bbd28af33f9f90c18e7703b9df822fa6af720397c3f8ae6e79
SHA512 17174c0412df108cce6efdf944ccc334d699cee8ffc1c42023d25b235e1460a7e329cc453c35b78e19a827a13e4b62ae121aba7dcd71bf6c5d1fd4e3716642be

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bone

MD5 124e240a6529b61f018b30adac17553d
SHA1 950077be632fde663aacf7636a0ece5c918d2f63
SHA256 70e4f36876b997f504b67027be7bb02d9fb5faecf014f603cbe7d5e640631994
SHA512 c57ccf9cdcce52cc197fdba2586e9e924823b74cc8491e1cafdf9d74069aa13d4a5dcedaa80804456885bb9fca7ea8beb4a5ebe1ef15c0fb91f5fe127324ab8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Personnel

MD5 588fc6008acff48bb6638695bcf6f1b0
SHA1 9292a8d099705f171df67fe90ee89bd856abf5df
SHA256 9c0eb0254a68fd60b04489af0bd9615d91a6c1c189af0c457c258c886afd8931
SHA512 1068d494de53e441ee7e89c29062acaf6f966ec53541c0dca79f7660b13d0c7f40c04f17c23928eab548cb5700123f94b60f90f9b9ecc3e35780e3fb9877b804

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Watson

MD5 7aa422834f47f989ad74fb8a87de4225
SHA1 5b94537ea7df76b5b6a70aab1078623198ec2d2f
SHA256 79012da4bd552682d1635fa3fa33209f75bf059c7f63c0ab727ae72fa92f1332
SHA512 d1560c003880da5a030107030504cba01efd0829e5fbf24037145b131752b91c7b295999a0123a87094889cf086f0214fb6efe67bd27faa185b6a38a9b51efca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Describes

MD5 dab205ef316a75b18e861f7a867e0989
SHA1 650f9b788b6213225dc0f8d21236d1b06bde4fc9
SHA256 a14ab8b356d3d939c5b2283e3cda3af305d4107e7f178c852e0680457acc269e
SHA512 365fa6a6b20c940cee09294c5bfd35c52928874532a5b27e73891a498f1463d84fa0305b2d6a721f67bc39b828379eacfa092df664f73a8f863ae39ef7ae4d8b

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\Journals.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\297892\O

MD5 46191d9919762445f6246396127d6d86
SHA1 1387f35b5fe3f56402c89444f2e74b0f5d5b4e42
SHA256 7bbe5eb8ffb88fc4e9872cfaa467cf8d41f37466c078fc403f163030abf7c507
SHA512 cc898c08a711d4e5163576d2737735d2f0cb042c87e9e09abe1d3c27751024f9f90314e9dc4d65821d18cf5da1fd592a14f216ba84ec24db119b380644cee736

memory/1572-669-0x00000000039E0000-0x0000000003A37000-memory.dmp

memory/1572-670-0x00000000039E0000-0x0000000003A37000-memory.dmp

memory/1572-671-0x00000000039E0000-0x0000000003A37000-memory.dmp

memory/1572-672-0x00000000039E0000-0x0000000003A37000-memory.dmp

memory/1572-673-0x00000000039E0000-0x0000000003A37000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Aspect

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Aspect

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Immune

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Immune

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\K

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\K

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Kay

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Kay

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Arrives

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Arrives

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-20 15:42

Reported

2024-05-20 15:46

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Aspect

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Aspect

Network

N/A

Files

N/A