Analysis Overview
SHA256
f6e3d9034d0dfbb89293fd65389ab7c841de4fe37dc2de3a2f4fd3e0b2f4c0d0
Threat Level: Known bad
The file kwish client.rar was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
njRAT/Bladabindi
UAC bypass
Detect Umbral payload
Umbral
Possible privilege escalation attempt
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Drops startup file
Modifies file permissions
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
Sets desktop wallpaper using registry
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies Control Panel
System policy modification
Suspicious behavior: GetForegroundWindowSpam
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 10:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
450s
Max time network
1176s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 1820 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 4744 wrote to memory of 1820 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KwishClient\KwishClient.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4744-2-0x0000014EDD900000-0x0000014EDDB70000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 577ba09cb014307395f7b616511723a5 |
| SHA1 | 558007c461a9779476e35f8520c8d44de5bcf15f |
| SHA256 | 6f988cac82d04d778d4b4b2526b0cb71d78945fc54c55c111b6df030a0c2f99a |
| SHA512 | 007a254454d84811846593b39bbae39bc1c61160ff811bd9c2491ddbdc73988bdd159f83b050e74f0bafc78ba30bbab6aeb36c22d54e8f333d1108df1a11b58b |
memory/4744-12-0x0000014EDC2C0000-0x0000014EDC2C1000-memory.dmp
memory/4744-13-0x0000014EDD900000-0x0000014EDDB70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 10:42
Platform
win11-20240611-en
Max time kernel
130s
Max time network
133s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Umbral
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\windows\system32\takeown.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\ProgramData\Start.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe | C:\ProgramData\Start.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Start.exe\" .." | C:\ProgramData\Start.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\Start.exe\" .." | C:\ProgramData\Start.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\wlp.tmp" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\ui65.exe | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\logonuiOWR.exe | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| File opened for modification | C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KwishClient\Start.exe | N/A |
| N/A | N/A | C:\ProgramData\Start.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Start.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Start.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Start.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ProgramData\Start.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\KwishClient\Start.exe
"C:\Users\Admin\AppData\Local\Temp\KwishClient\Start.exe"
C:\ProgramData\Start.exe
"C:\ProgramData\Start.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.0.414005311\256353994" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f488c89c-4f00-4853-acaa-a0bec99d71cb} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 1860 2388f00df58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.1.2079324192\289540945" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b36de6b5-4dc3-4711-af9e-775f005c02c8} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 2404 23882186c58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.2.1834623299\451728472" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2940 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5d6694b-25f5-4340-aa90-5a98ad99cf4c} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3124 2388df97358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.3.996742985\1362042911" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3620 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {703d408d-4127-4d64-bb3c-8a1668f2b6c6} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3632 23894587958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.4.1833611587\1389516748" -childID 3 -isForBrowser -prefsHandle 4348 -prefMapHandle 4664 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b62bac-74bc-4678-8817-c794d0b24eb8} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5108 2389683da58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.5.1696285357\733367854" -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {964a10d0-0100-4364-86a7-2d8f43c42137} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5244 2389683ef58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.6.1231133378\1414252152" -childID 5 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1044 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce68c3c-9b4e-4667-a1e2-3b8faf85765b} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5436 2389683fb58 tab
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe
"C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe
"C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe"
C:\windows\system32\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\
C:\windows\system32\icacls.exe
"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | park-curve.gl.at.ply.gg | udp |
| US | 147.185.221.20:38826 | park-curve.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:38826 | park-curve.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49769 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 52.25.179.107:443 | shavar.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49775 | tcp | |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| NL | 2.18.121.79:80 | a19.dscg10.akamai.net | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | tcp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
Files
memory/1480-0-0x00007FF961CF3000-0x00007FF961CF5000-memory.dmp
memory/1480-1-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1480-2-0x0000000000D20000-0x0000000000D32000-memory.dmp
memory/1480-3-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
C:\ProgramData\Start.exe
| MD5 | 17d3aede5181494ef3a4a00513a84398 |
| SHA1 | caaacb5eb2582abc96af355c4cd7ce33863521d2 |
| SHA256 | 7695430fc6530b309257c463264469f1f2c8dc5053ccd50876b196a9d73b9a5f |
| SHA512 | 482bf196726c4f87fedaa7b90bf18c61b4e24a78cc5479f59a2b0e2a76649f9c2ea2444899d42d9d6113182b39b7486e32483f0664bfa9f08435c45f812b4624 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Start.exe.log
| MD5 | e7edf56d23e3eddab9453776bd1cc9ed |
| SHA1 | 36c5a79710d6810871de84443bc4f42c404504bc |
| SHA256 | b115c8bd4e8c80eedb64322046695b1bb6783ddfebf7bf93a0562a12bb4de95a |
| SHA512 | ab2c905ff55d9a202469218f65d6df63eac131c06886316ae4e8cd05dffaa42541d11df774d89629d0cc6df067ed9d0c2b44811952e4f3668c3e9d4fb84f57a1 |
memory/4228-14-0x0000000001680000-0x0000000001692000-memory.dmp
memory/1480-15-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
memory/4228-17-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
memory/4228-16-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
memory/4228-19-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
memory/4228-20-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
memory/4228-21-0x000000001BAA0000-0x000000001BAAA000-memory.dmp
memory/4228-22-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | bc70849972f9eb81a90775daa4a5239a |
| SHA1 | d90a695fe9c1686d83e74094e721a8c28f7f803f |
| SHA256 | 24bb10d611ac05ca4d6c4b647f5b63ca0e52d035f3c482261e58555907a72d84 |
| SHA512 | 0e4ce1448436bb5521ff2f0877d24a3b28306afd42747156f10329f6aee7e8964f17a8bd6665ae023dca113c264af384c6028b4ed33a73a8a840d4012b5b7656 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | 04faa5b7168897c1b036966b4dab7ddd |
| SHA1 | ffd991ab3f4a803e76d976eaafc861734c76862d |
| SHA256 | 1ef41eda4b7a9a8522dace2f1cd3dacd549f357611fce91f6221f0f5ec2aafae |
| SHA512 | 1ac5b45f2ae318cd452099ac83ef40a116270f3f6ded5612443f0b9201b3f97a195261bf7bc461204714c7df9fdf1e02b0bb7aaa69c58cfa7fdce75bcf04b058 |
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe
| MD5 | 157dc3d81fee89af95e44300cb46bb94 |
| SHA1 | f7684bd8a11526a7cebeb668e32a01498785ed92 |
| SHA256 | 72ec2b7ff3142521a6e640371dbf03125af27057f77ab08e2d50b0f7e3f97f7f |
| SHA512 | fb7e7fa91fb1efef7d2e95578f305a9d81e48c8ad229cef9404abe7688d9cb8981ccd779a1ad2604d877a3cbeb6d7c5f4c5f46c07cffb309c06b44c50e9d39db |
memory/5080-88-0x000001FC7EC40000-0x000001FC7EC80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wi5x2m42.fie.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3152-97-0x000001FD8E890000-0x000001FD8E8B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 437395ef86850fbff98c12dff89eb621 |
| SHA1 | 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c |
| SHA256 | 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6 |
| SHA512 | bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c24caab1947646fcc49d6158d78a56f5 |
| SHA1 | aa2cd00401eb273991f2d6fdc739d473ff6e8319 |
| SHA256 | 0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a |
| SHA512 | 35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff |
memory/5080-111-0x000001FC7FDB0000-0x000001FC7FE26000-memory.dmp
memory/5080-112-0x000001FC7F170000-0x000001FC7F1C0000-memory.dmp
memory/5080-113-0x000001FC7F100000-0x000001FC7F11E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae45638dd1c046829e39f88839964222 |
| SHA1 | 42b27a30e3bbadef6065fc5f0129dc24a9d87b76 |
| SHA256 | b62cc7a49c958d41c0e7784cc6918f5edbf197f19a9b00c09b65e2f44fade360 |
| SHA512 | 593b1912bc28ec098778cf5c062f5e95de6060c0052334e9ebba10bc01e8139ae02603a3d97672aaf09e0b44b87655a36298a0b09de2368f0f802d564e76ce92 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
memory/5080-148-0x000001FC7F0E0000-0x000001FC7F0EA000-memory.dmp
memory/5080-149-0x000001FC7F140000-0x000001FC7F152000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0f75e8536b42ee6f7bb660ade7991245 |
| SHA1 | 0918496d043aa7d232f69d44d86cca77938f3e98 |
| SHA256 | a705c54b798f77c9518ea45b93bec6c4bcab90c0977d8e1b8266c2079262f7fa |
| SHA512 | 968601098ec2c60007eb58ba0e48cd3dbbc3365e98b7713a5fcbdffdabac43873c0547340dc1bea994cb8b365ba6981edd96780ece9c9e5e60e122d79988de9e |
memory/4228-168-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7430397b58e2b176a5a432174b7d5834 |
| SHA1 | 11f3d748004dd3352de0162cf96e337cbebf8b41 |
| SHA256 | db7117fb44b16030a9ea0e1bca8e2e98c52fa8bdb146728406c7b7f2192644f7 |
| SHA512 | 4a1f45e47ad807a7bf6e2b41228c63beeb7fedeb7c5308df5955c7bdfb1db1a02c7e9e01f339dbbdc27c510fe3b8cac720bd75e56e4fa6a36726c8e916abadc3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | b08e44a02eaa00d1eca0338780aded5f |
| SHA1 | ff24341f41a0cb7f41b1d9f046ea471776cc8475 |
| SHA256 | 2056058cfff353f1a8130e1ef9da58ac6a7e41ca6db6d0f7dd3a7aa50b12b44e |
| SHA512 | 56873861a5c4d1878ad0cb6772afd9546191b73af45bcad22332a1841624de4acefd8b18709debedcc455ed42197339eccc0d4ff62387f4c5870ce791f8cd5ba |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | 9b17d54f3bcb2f00b90d802f106009f7 |
| SHA1 | a7de61462986b808fd46ffe3526855642a2a586c |
| SHA256 | 012d19acb0b6cc4455ce8dcb9510d9a552cc32903e6e2d61eebf898b3006e3d7 |
| SHA512 | d64e81851352141b33fd0734b2919c50fe36eab3735f7de79b43caf3b3766e7d9676fd481066dd6833d0524af8abd264ba987ab2a3f6dff844fbac0d98bd1394 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 18b207724815ecf77509be164527ef45 |
| SHA1 | 5705fea72720bbd4491ab10cdeaf44c41aa04c63 |
| SHA256 | 5be074771f990d41d788b24025bd2d5ca3877339da59462067d7139ea17a2749 |
| SHA512 | 9acf0242814f844fc6986ef7fb030fe08adf2f24cefce217eceae9f5c01fbd894e426e27a67e068742bd53d0a770308dcf951f37ff807ea3bfe47412bef95ca8 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | 057a25053824771e2418c7e54a497c81 |
| SHA1 | 5723f4956556e0f7a8aa8f436df11bb106ecaa45 |
| SHA256 | 864ebe99f54b6057e9cec6ed10fec176f3c6effb9fc95784066fa965a5c9c395 |
| SHA512 | f49f36890ba37c40e8b080342ab02e9514dae90e299dcb618d73c659103a5aa991507abab9cbfcfc81b36d90ca37fc668b9f9d821f6b6aa7c9422d075a2bf7ef |
C:\Users\Admin\AppData\Local\Temp\KwishClient\.exe
| MD5 | 4d1d2d53bc1aac8b044fe12d9121ae22 |
| SHA1 | 0d8088a23272a3a20785637915cb81af137f81cc |
| SHA256 | b6ef7d7410a44494a09973b7b0ca173ca4f67f52ea542c7393e3d1874257dfb5 |
| SHA512 | 520c8796ff1229a5ad072d408ca97b2afada4fb10d9c2a8360f1cae1d29ac67ca42e80842eeb2052e6e715ee028a5e6a8d15eb388a23932655bfd0319cb3db9a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.log
| MD5 | 5f36c205799cb2f8966c7d5130cea05c |
| SHA1 | 614993e3437ff9363c3eb698d7dba379a453dd6e |
| SHA256 | 8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c |
| SHA512 | 7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b |
memory/3824-2235-0x00000000000D0000-0x00000000016D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp
| MD5 | c8dc58eff0c029d381a67f5dca34a913 |
| SHA1 | 3576807e793473bcbd3cf7d664b83948e3ec8f2d |
| SHA256 | 4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17 |
| SHA512 | b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4
| MD5 | 812f2a4690b156ff5d95e5eb7cfbc11d |
| SHA1 | 68380b202cdda28258ff521d7e6035ca6e3a9d79 |
| SHA256 | 1e96685388f5c8416103ffde699d3a4575a3dc8d5d75bebb7873ec60dfb684e8 |
| SHA512 | 0cb0d806786239a8a95a9f09a8af2804c7375a16da8b1604d01e99d4f7a8120f6e83e3731cd271b70efff31aadedb7645a6e2cd0b9e06f8484f95ace79d669ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs.js
| MD5 | 8803b1340206258f12de3db7c4944eb1 |
| SHA1 | 358df6a35aaaecdd36d88dcdc986fb14c468f14a |
| SHA256 | 24ff59b8c1ca18072e46f0077b981a9ceb5235fc2100c7f23cd5bbf60060ce40 |
| SHA512 | 63ca0c93b7d6b783d262280813ef7a139993fae6122d26dc601c7af3f1bc6b9a97bb50b660333a0073e66036e664ebce0ec2fcf11163894eee3ec21629822279 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js
| MD5 | 3b15249d0b69f30e83f8bcc1ad0aa110 |
| SHA1 | 0c224622b83a4cfc3eca3ff0ae86e4e741ad094d |
| SHA256 | d3d60febdd0ac2496ddcbd842e15cff354de47b525ff1809d8a7b567579cfc97 |
| SHA512 | 92a4b38a8e11b67c9daf92cdc6a912b7c95ee52b500648e2765c5334d94685c61d3f5aa5f6a98c2b42bca2d37fbceacaccd5b82d6c7b4c9385c02ee974f0cc1c |
memory/4228-2296-0x00007FF961CF0000-0x00007FF9627B2000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1483s
Max time network
1492s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 988 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 988 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 988 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\SAPIWrapper_x86.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\SAPIWrapper_x86.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
453s
Max time network
1182s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 4280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 4280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 4280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\glfw32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\glfw32.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1485s
Max time network
1500s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3328 wrote to memory of 4988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3328 wrote to memory of 4988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3328 wrote to memory of 4988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\jemalloc32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\jemalloc32.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1483s
Max time network
1499s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
1758s
Max time network
1769s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\OpenAL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
449s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\SAPIWrapper_x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
1738s
Max time network
1750s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_opengl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
1725s
Max time network
1739s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_stb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1481s
Max time network
1498s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 3224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 692 wrote to memory of 3224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 692 wrote to memory of 3224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\OpenAL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\OpenAL32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240419-en
Max time kernel
1767s
Max time network
1780s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\glfw.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1482s
Max time network
1499s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 3640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 3640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 3640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_opengl32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_opengl32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3640 -ip 3640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
447s
Max time network
1172s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3120 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3120 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3120 wrote to memory of 4020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_stb32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_stb32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
448s
Max time network
1171s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_tinyfd.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240508-en
Max time kernel
1745s
Max time network
1763s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\jemalloc.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1484s
Max time network
1499s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1048 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1048 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1048 wrote to memory of 2024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-25 10:39
Reported
2024-06-25 11:10
Platform
win11-20240611-en
Max time kernel
1482s
Max time network
1491s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4904 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4904 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_tinyfd32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\KwishClient\resources\lwjgl_tinyfd32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 544
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |