Malware Analysis Report

2024-10-19 09:00

Sample ID 240829-n32f5asbrl
Target File.rar
SHA256 b936dc76c796a7ec52e4ecae7c99f3982236c23aa163150f906191ea6a73a460
Tags
redline stealc vidar 3cfc20875310168e85cacc85bfe8cfb9 d9949d63cb2f6fce6f80667c0c98ea24 default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b936dc76c796a7ec52e4ecae7c99f3982236c23aa163150f906191ea6a73a460

Threat Level: Known bad

The file File.rar was found to be: Known bad.

Malicious Activity Summary

redline stealc vidar 3cfc20875310168e85cacc85bfe8cfb9 d9949d63cb2f6fce6f80667c0c98ea24 default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence spyware stealer

Stealc

Vidar

Detect Vidar Stealer

RedLine payload

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Unsecured Credentials: Credentials In Files

.NET Reactor proctector

Drops startup file

Checks BIOS information in registry

Adds Run key to start application

Power Settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Launches sc.exe

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 11:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 11:56

Reported

2024-08-29 12:05

Platform

win10-20240404-es

Max time kernel

118s

Max time network

323s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9U3RM.tmp\Poj71k3Ya_HeS8G39DU1IT_3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\doL2QrffwqgtJ051J1s5JyXm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\doL2QrffwqgtJ051J1s5JyXm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4104 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4600 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4600 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4600 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4600 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4600 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4600 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4600 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2144 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2144 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2144 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2144 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2144 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe
PID 4112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe
PID 4112 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe
PID 4112 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe
PID 4112 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe
PID 4112 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe
PID 4112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe
PID 4112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe
PID 4112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe
PID 4112 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe
PID 4112 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe
PID 4112 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe
PID 4112 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe
PID 4112 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe
PID 4112 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe
PID 4112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe
PID 4112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe
PID 4112 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe
PID 4112 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe
PID 4112 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe
PID 4112 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe
PID 4112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe
PID 4112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe
PID 4112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe
PID 4112 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe
PID 4112 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe
PID 4112 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe
PID 4112 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe
PID 4112 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe

C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe

C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe

C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe

C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe

C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe

C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe

C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe

C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe

C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe

C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe

C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe

C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe

C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe

C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe

C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe

C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe

C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe

C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe

C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe

C:\Users\Admin\Documents\iofolko5\doL2QrffwqgtJ051J1s5JyXm.exe

C:\Users\Admin\Documents\iofolko5\doL2QrffwqgtJ051J1s5JyXm.exe

C:\Users\Admin\AppData\Local\Temp\is-9U3RM.tmp\Poj71k3Ya_HeS8G39DU1IT_3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9U3RM.tmp\Poj71k3Ya_HeS8G39DU1IT_3.tmp" /SL5="$60212,3860661,54272,C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe

"C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 620

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBAAFBFBAAK.exe"

C:\Users\AdminBAAFBFBAAK.exe

"C:\Users\AdminBAAFBFBAAK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGHJKJDAKEH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\AdminGHJKJDAKEH.exe

"C:\Users\AdminGHJKJDAKEH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1280

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IECAFHDBGHJK" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
RU 80.66.75.114:80 80.66.75.114 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 76.76.21.9:80 file-link-iota.vercel.app tcp
US 76.76.21.9:80 file-link-iota.vercel.app tcp
US 76.76.21.9:80 file-link-iota.vercel.app tcp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 114.75.66.80.in-addr.arpa udp
US 8.8.8.8:53 9.21.76.76.in-addr.arpa udp
US 76.76.21.9:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
DE 77.105.164.24:50505 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 24.164.105.77.in-addr.arpa udp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
DE 147.45.47.251:2149 tcp
US 8.8.8.8:53 157.252.19.2.in-addr.arpa udp
CZ 46.8.231.109:80 46.8.231.109 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 251.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 109.231.8.46.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
DE 94.130.188.148:443 94.130.188.148 tcp
US 8.8.8.8:53 148.188.130.94.in-addr.arpa udp
DE 94.130.188.148:443 94.130.188.148 tcp
DE 94.130.188.148:443 94.130.188.148 tcp
DE 94.130.188.148:443 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 condedqpwqm.shop udp
US 172.67.146.35:443 condedqpwqm.shop tcp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 35.146.67.172.in-addr.arpa udp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 94.130.188.148:443 tcp
DE 45.76.89.70:443 pool.hashvault.pro tcp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
DE 94.130.188.148:443 tcp
US 8.8.8.8:53 stadiatechnologies.com udp
GB 95.164.119.162:80 stadiatechnologies.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
FR 147.45.68.138:80 147.45.68.138 tcp
US 8.8.8.8:53 138.68.45.147.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
FR 147.45.68.138:80 147.45.68.138 tcp
NL 193.176.190.41:80 193.176.190.41 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 41.190.176.193.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/4112-84-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-85-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-87-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-88-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-92-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-99-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-98-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-95-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-96-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-94-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-93-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-91-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-90-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-89-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-97-0x0000000001000000-0x00000000011E0000-memory.dmp

C:\Users\Admin\Documents\iofolko5\2NDCNrPEkRdHFCZp1Y4lvKa1.exe

MD5 1ef9bbed957bcd2df5a639e04a67f8bb
SHA1 dea8af341746162f51e7c37486c43f484b7eaa20
SHA256 a1259a67819bb78fb8d97596daeaee6d01f8cf984dd217c7bf10e1808f3d7c01
SHA512 1f915183d6b688324e4e3b6041ae780aeda3cdbe65156f6b151be8be3c09be9f55c56577e494bc1e8b96c146dcf76204745b7bcdc2a222854f0784a766020663

C:\Users\Admin\Documents\iofolko5\V7ppNEbCRdUPl6LMzSAkn4ht.exe

MD5 8e41d2107579afb2911dccffeab97f1c
SHA1 e364f0f9b85adcb64747c8eac819a1b59b458727
SHA256 c5c219a6512dc639b5ac5837abe4217e265f7d165159da131eb32048b0c15030
SHA512 3f6193ece0cfca6cdbe2803ddbb6d38295837f7c01e92594fad0ce7be2f505880daa8e48d77fe00a18d7d18ed9413873e70f7ab0baf1438431f8b8c7e1b9de88

C:\Users\Admin\Documents\iofolko5\VAtenDpwFAQuw1ieHk8RRfSA.exe

MD5 6d90f5899ff47cd3519ee0f53b8900f6
SHA1 1c28f0a93e4258f2370b14c58872ef1987109a5e
SHA256 7935b5b0a3c2fe6391fad0065809fbdd361af8a34fce890182a63a312f1703ef
SHA512 985fd3862446ddb8c6baf0ba68b31414a3a004033ff7a5bc37cbfc7e8b7ccbaf43642c16b7c67be6e7e8fcce38edede7986b786740d20da71178a42b7d296146

C:\Users\Admin\Documents\iofolko5\yFoQIntT_ijzBArtgIGIQJrN.exe

MD5 758ba2e8ed6e7ecde55b15e7930156e1
SHA1 bb3b924d45e7fff4f9cc2b087327643250a0e026
SHA256 2f6c256196127c2b28211a50f2c9a69f50226506fed6b1a528eea6574a2d0443
SHA512 b9c79ffc42927bbd7d691c3b83cbf793b4b74dd6cc59a34f5b051a8ebafabcc34b1f49c021e2b6b1a7b6f230c9b1a5622090d48325dccbdc6aa77a949877937c

memory/4112-140-0x0000000001000000-0x00000000011E0000-memory.dmp

C:\Users\Admin\Documents\iofolko5\v5_ZpXUboQA4uZKD1PK66UZq.exe

MD5 c835aa61191a38f357333fff57f6c81a
SHA1 5319123a505e379a75f00ee5a51588a97b2bdad8
SHA256 ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
SHA512 2864b0d47287dae58d2f46ae7a5edfd2b0a274e05706a7718dcff7f8c908d3b6e5b8550a2c978cdc3782535fd864092a20a2836fd25f7a7a6cc61d589f582f14

C:\Users\Admin\Documents\iofolko5\7lrlbrF9aI8Hoyp6tn1P1Rwa.exe

MD5 09c44ee055df05f0dc2d31f073eb3abc
SHA1 8ac5dd0887560cb9fb65af57668177211b0d768a
SHA256 f36637e98b249981f8b88c0dcdeb19cafe8fe5f262d83038990caa7e08141549
SHA512 88affeee3b02ba54988ac87d6126ccd6ac29b01eb9ca8a5a8aeb26d34c9b6e6706d207cb65b521b75870faccc7701e6a17284aa6ca6d281792cb3aa8475f5832

C:\Users\Admin\Documents\iofolko5\doL2QrffwqgtJ051J1s5JyXm.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

C:\Users\Admin\Documents\iofolko5\Lzji3ugfMQ5tcs3C4OYQy7Kc.exe

MD5 62abfe8a7ad3a99ea4d57734689952ef
SHA1 4be1f30fd67930a52139df6716871a243dc68d55
SHA256 1fd8bac5cc2b9aecafc8b0911842c86f0e5e16d58c82a93d717d2527d730ae54
SHA512 7bcde56bfef05ea8cb9ab646e74e2fc4c1ebec2eba5d03e479f0bebb8b23b40b077f0efd1d67e30896672493a2ddc3d292642a44c093042803d8304e1323a0f2

C:\Users\Admin\Documents\iofolko5\p5Gt68eveVF3ApNDYqmZZ04D.exe

MD5 d4ac1a0d0504ab9a127defa511df833e
SHA1 9254864b6917eba6d4d4616ac2564f192626668b
SHA256 a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA512 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5

C:\Users\Admin\Documents\iofolko5\Poj71k3Ya_HeS8G39DU1IT_3.exe

MD5 8f1226564420db401523ec1578a5e253
SHA1 9d8e720e4b08a25f7d28805fb0dad3441b2a1bf2
SHA256 d6058d37f5f4f1612515afead2110e717d0f16432320336c07278fcccb28c7bc
SHA512 83b0f183affa30df490c13737acf9dd9b5b261933e9c454d486ba24b8e21ee8393f3eec2cd42bc394f6c47de3dfb23dd0dab8d6ef505af5714d46067832b3751

C:\Users\Admin\Documents\iofolko5\Tf9c6gMov8bUfY8IVViEIjnW.exe

MD5 865adfa302bfc57219c6541aebbfa1c9
SHA1 aeeb2cdc6cdd99705094904fdf65f52910e8fb89
SHA256 de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c
SHA512 fb6a9dd9d66013e2274adca885b3d0f038aa14cf4a64bac2140203ff72d2091e71c6929d3748af6e999c9b1c95098036489568ac8c40032bc819d917a4e87b38

memory/3604-209-0x0000000001190000-0x0000000001805000-memory.dmp

memory/4112-228-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-226-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-224-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-222-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/204-217-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4112-230-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-213-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/1744-241-0x0000000000DF0000-0x00000000010E2000-memory.dmp

memory/4780-245-0x00007FFBEEBB0000-0x00007FFBEEBB2000-memory.dmp

memory/2012-243-0x0000000000B60000-0x0000000000EB6000-memory.dmp

memory/4112-220-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-207-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-200-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-202-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/4112-198-0x0000000001000000-0x00000000011E0000-memory.dmp

memory/3012-244-0x0000000000150000-0x000000000078A000-memory.dmp

memory/1744-250-0x0000000005A00000-0x0000000005A9C000-memory.dmp

memory/3012-257-0x0000000005120000-0x0000000005206000-memory.dmp

memory/3104-280-0x0000000000400000-0x0000000000641000-memory.dmp

memory/3788-286-0x0000000000400000-0x0000000000641000-memory.dmp

memory/520-298-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1744-304-0x00000000057A0000-0x00000000057C2000-memory.dmp

memory/1744-302-0x0000000005D60000-0x0000000005EFE000-memory.dmp

memory/1284-301-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/1284-300-0x00000000056A0000-0x0000000005B9E000-memory.dmp

memory/520-299-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3104-297-0x0000000000400000-0x0000000000641000-memory.dmp

memory/3788-292-0x0000000000400000-0x0000000000641000-memory.dmp

memory/3788-290-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2520-289-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1744-288-0x0000000005BA0000-0x0000000005D40000-memory.dmp

memory/3104-296-0x0000000000400000-0x0000000000641000-memory.dmp

memory/1164-281-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1480-278-0x0000000000A90000-0x0000000000AC8000-memory.dmp

memory/2520-283-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1568-263-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1284-261-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2012-260-0x0000000003220000-0x0000000003242000-memory.dmp

memory/3012-258-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/5000-255-0x0000000000200000-0x0000000000254000-memory.dmp

memory/2300-253-0x0000000000AD0000-0x0000000000B58000-memory.dmp

memory/2012-252-0x0000000005940000-0x0000000005A76000-memory.dmp

memory/4780-247-0x0000000140000000-0x0000000141999000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9U3RM.tmp\Poj71k3Ya_HeS8G39DU1IT_3.tmp

MD5 99051a966577adf59f776eb19e53b806
SHA1 4b351abfa134d06762846b779587563ac392ddbc
SHA256 76ca9b5096126861060c47a377cf75fc60119a6c98dc5e6c6c763c6e475aed3b
SHA512 e94548f9f07c6944a07bbdec03466dfbfb337fd2636cd1ec537dba3ecd9fe6bac18d455aeb2ebd162d4181c852fe582373dc5f5cc33aa6a05bed1cd89e4947b5

memory/1464-308-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1464-305-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1284-307-0x0000000005160000-0x000000000516A000-memory.dmp

memory/1464-306-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6EAE.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3604-314-0x0000000001190000-0x0000000001805000-memory.dmp

memory/1284-334-0x0000000005CA0000-0x0000000005D16000-memory.dmp

memory/1284-335-0x00000000063D0000-0x00000000063EE000-memory.dmp

memory/1284-337-0x0000000006A00000-0x0000000007006000-memory.dmp

memory/1284-338-0x0000000006570000-0x000000000667A000-memory.dmp

memory/1284-339-0x00000000064A0000-0x00000000064B2000-memory.dmp

memory/1284-340-0x0000000006500000-0x000000000653E000-memory.dmp

memory/1284-341-0x0000000006680000-0x00000000066CB000-memory.dmp

memory/1568-343-0x0000000008180000-0x00000000081CA000-memory.dmp

memory/1568-346-0x0000000008CB0000-0x0000000008CD0000-memory.dmp

memory/1568-348-0x0000000008D40000-0x0000000008DA6000-memory.dmp

memory/204-347-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2520-349-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1568-379-0x0000000009450000-0x0000000009552000-memory.dmp

memory/1568-380-0x0000000009830000-0x00000000099F2000-memory.dmp

memory/1568-381-0x0000000009F30000-0x000000000A45C000-memory.dmp

memory/3192-388-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1284-397-0x00000000073A0000-0x00000000073F0000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2256-422-0x0000000000AE0000-0x0000000000B34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminBAAFBFBAAK.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\ProgramData\IECAFHDBGHJK\CFIECB

MD5 f1f1e52e12157f58250690a14935123a
SHA1 025aa05e57a95271b542e7f968750fe0b7152775
SHA256 158a58c6f84871d2d0ad01de5e4b54f308bea3669a5e8e5bb4ad5b0824a9f72e
SHA512 8f3b4841ce6aea0d3a0e93b420b5985be47c609f4e477e432c626b2146c8b97854ed115b3c4fa2495033a103cb51f0d9cce85b14acb0a1de2227bbbb2305fab5

C:\ProgramData\IECAFHDBGHJK\DHDHJJ

MD5 0993dc3321bab9ea7c8f3cb6381ce9ec
SHA1 0bdbdca0fbee8b8f362008bd637f45044b95cbdc
SHA256 d3f7c16c89f3f15bbb3a728a2bdfda1371c1dab8d654c1068fbffc0507b94916
SHA512 9bc1d39fb63b610e22bf219e10887ab4919f26b2e7c928ed4864527660dd05f5298eb9cb91573a4cc263ae08935cab219c8bcdff948a7725e4e84ad5948f7dbd

C:\ProgramData\CBFIIEHJDBKJ\CBFIIE

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\ProgramData\CBFIIEHJDBKJ\IEGCAA

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\CBFIIEHJDBKJ\CBFIIE

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 11:56

Reported

2024-08-29 12:05

Platform

win7-20240708-es

Max time kernel

295s

Max time network

317s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2860 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-ESRNR.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2688 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2688 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2688 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2688 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2688 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2844 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2028 wrote to memory of 2172 N/A C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp
PID 2172 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2172 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2172 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe
PID 2172 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe

C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe

C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp" /SL5="$A0132,3153536,913408,C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe"

C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe

"C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-ESRNR.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ESRNR.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp" /SL5="$A0130,3153536,913408,C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe" /VERYSILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
DE 92.246.139.82:80 92.246.139.82 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 statsrvv.com udp
US 104.21.31.110:443 statsrvv.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/2844-87-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2844-88-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2844-90-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2844-91-0x0000000000690000-0x0000000000870000-memory.dmp

C:\Users\Admin\Documents\iofolko5\Q72nFhRl4a45inWd9UydZO8q.exe

MD5 e66d3c8d8751bbddf797b0f29cd82d07
SHA1 9a4b487aec3f1dc9d6df01a848cebb5796ff00fe
SHA256 005f520f3ea15ed0812288ef997f89a3b5c5a448970e2c8b8fe8d7385eace72b
SHA512 b11977ac5384e4df6fe450a270336be4fe963a26687f2d15c0f35746c9aa1b2d29e9ef20df6f95e21a73b34c39d0ff9b1a005c18214e267ed5e692b931cb5982

memory/2844-103-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2028-105-0x00000000011E0000-0x00000000012CD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GM7HE.tmp\Q72nFhRl4a45inWd9UydZO8q.tmp

MD5 cf0d7001a4f0eb0f38f2ad91a348fe30
SHA1 2ce1382a0fbe153ea12bcf46b69bc122f790fead
SHA256 6baa797bcad29aaa59818588de0ba03aa76d6b6377b7464712f0ad3f2928e1d4
SHA512 1d70d03045df56ca0beac75794763b5c7d9af07d673ddef350056f9f6f89fbddb9ef0969413fec450926153ef9f3d64492a0d504e25bf6a556b8e3910d0f8176

memory/1672-118-0x00000000011E0000-0x00000000012CD000-memory.dmp

memory/2172-117-0x0000000000D90000-0x00000000010E4000-memory.dmp

memory/1768-127-0x00000000002D0000-0x0000000000624000-memory.dmp

memory/2028-129-0x00000000011E0000-0x00000000012CD000-memory.dmp

memory/1672-131-0x00000000011E0000-0x00000000012CD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-29 11:56

Reported

2024-08-29 12:05

Platform

win10v2004-20240802-es

Max time kernel

302s

Max time network

329s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3632 set thread context of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3832 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4672 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 5744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 5564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 5564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 5564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4672 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4672 wrote to memory of 3632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4672 wrote to memory of 5384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4672 wrote to memory of 5384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4672 wrote to memory of 5384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3632 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3632 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3632 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3632 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3632 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/4280-84-0x0000000000A80000-0x0000000000C60000-memory.dmp

memory/4280-85-0x0000000000A80000-0x0000000000C60000-memory.dmp

memory/4280-87-0x0000000000A80000-0x0000000000C60000-memory.dmp