Analysis Overview
SHA256
b936dc76c796a7ec52e4ecae7c99f3982236c23aa163150f906191ea6a73a460
Threat Level: Shows suspicious behavior
The file File.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 11:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 11:45
Reported
2024-08-29 11:54
Platform
win7-20240708-en
Max time kernel
294s
Max time network
318s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543333
C:\Windows\SysWOW64\findstr.exe
findstr /V "ZambiaExpressionEdWarnings" Organizational
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Knowledgestorm.pif f
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Opinion
| MD5 | 14cc1fb9d1af48eefbf8886f7afb6aaf |
| SHA1 | 5c3f6bd7d25302838faeac6235d11d29a7e148d9 |
| SHA256 | 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022 |
| SHA512 | cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13 |
C:\Users\Admin\AppData\Local\Temp\Organizational
| MD5 | 7b8287c0afd0f089d462d20227527313 |
| SHA1 | 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9 |
| SHA256 | 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604 |
| SHA512 | 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01 |
C:\Users\Admin\AppData\Local\Temp\Administrator
| MD5 | d4fdc8b32df2a7aeff68f050ff4e99f5 |
| SHA1 | 596c4fcdabd92baf7306afe28ad4769210c8c61e |
| SHA256 | ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670 |
| SHA512 | 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328 |
C:\Users\Admin\AppData\Local\Temp\Offerings
| MD5 | c1b98968af3ca9958da994e0d2b64ca5 |
| SHA1 | 86a2c66038306cea65319eda4dc28e9ca416ecba |
| SHA256 | 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a |
| SHA512 | 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a |
C:\Users\Admin\AppData\Local\Temp\Erotic
| MD5 | baa394d9b7256b54d2a17aef107d6587 |
| SHA1 | ebb8b2974d73f4259fb01132ffaa9e93f9e32784 |
| SHA256 | ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc |
| SHA512 | ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0 |
C:\Users\Admin\AppData\Local\Temp\Worldwide
| MD5 | 0a51acf518d3af32972473ad935785b2 |
| SHA1 | 2890597974297152d974f0bc05abd0689dcbe140 |
| SHA256 | 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf |
| SHA512 | 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 6935c3ee488f7e35515d746c51ed5e63 |
| SHA1 | eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096 |
| SHA256 | c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6 |
| SHA512 | f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81 |
C:\Users\Admin\AppData\Local\Temp\Nylon
| MD5 | 7ec83d9c67fdabe8d1a30d598b074796 |
| SHA1 | 909f7cc320e0584037121527c3916b633f9e1f9f |
| SHA256 | 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1 |
| SHA512 | d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a |
C:\Users\Admin\AppData\Local\Temp\Disturbed
| MD5 | 19d61e16dada8cd392e3c8bf745776d9 |
| SHA1 | ebbd31fe57f9b77b383326b42e166340c0cf721b |
| SHA256 | 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b |
| SHA512 | 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03 |
C:\Users\Admin\AppData\Local\Temp\Thomas
| MD5 | 7fe92d1a548602fde1565d712bda2c31 |
| SHA1 | 6b0f68dfef457c84c8c8de12a81356d34a745a01 |
| SHA256 | 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4 |
| SHA512 | bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d |
C:\Users\Admin\AppData\Local\Temp\Will
| MD5 | 1a91d5a1c1770b7f0f9cfce2e2e033c3 |
| SHA1 | 9bab62fa38126f91be59f6bc42b18c7d2797abc2 |
| SHA256 | 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5 |
| SHA512 | 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557 |
C:\Users\Admin\AppData\Local\Temp\Whenever
| MD5 | e4aa61dd9135241d399813916b7810d9 |
| SHA1 | 59f3a9e4706b7c8b360d89fc25712b25a4a29380 |
| SHA256 | 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1 |
| SHA512 | 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183 |
C:\Users\Admin\AppData\Local\Temp\Registered
| MD5 | df64d534153e3209f9205105677a7926 |
| SHA1 | 78a92c5660604a1806cff15b390928a60bc665a2 |
| SHA256 | 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590 |
| SHA512 | 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda |
C:\Users\Admin\AppData\Local\Temp\Clips
| MD5 | 07b6cca17ff3d67686dcb686c7397959 |
| SHA1 | 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a |
| SHA256 | 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4 |
| SHA512 | a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5 |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 62691926c398272b060aca24576fa46a |
| SHA1 | 8bf7fb2b2df52820ee9ef46790e70ca3b4945add |
| SHA256 | d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1 |
| SHA512 | 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047 |
C:\Users\Admin\AppData\Local\Temp\Route
| MD5 | 8494c7d9d337a740a2b78b91d6a25741 |
| SHA1 | 95623c0ae4cda059b11cff25ea05324c4dc9ca7d |
| SHA256 | ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2 |
| SHA512 | b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577 |
C:\Users\Admin\AppData\Local\Temp\Concert
| MD5 | 40bd98de2c6eafc9393dea5648237efb |
| SHA1 | f920b8feac96be36ee27fa187ccbaf5156bd8969 |
| SHA256 | 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd |
| SHA512 | 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d |
C:\Users\Admin\AppData\Local\Temp\Challenged
| MD5 | 95a29849fca591f7dd60ce737d9fad75 |
| SHA1 | 0d09edf10128e174ca9010838a43247e3786ba4e |
| SHA256 | 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326 |
| SHA512 | d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d |
C:\Users\Admin\AppData\Local\Temp\Bibliography
| MD5 | cbabde4bcb3d6b2a1a62629d3fae6942 |
| SHA1 | 062f09fd85db0324294b901f9a6a4b1a207d46e8 |
| SHA256 | 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436 |
| SHA512 | 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093 |
C:\Users\Admin\AppData\Local\Temp\Cubic
| MD5 | 34a6728cd9f73abf7a91f66252cf0829 |
| SHA1 | 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c |
| SHA256 | 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43 |
| SHA512 | 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf |
C:\Users\Admin\AppData\Local\Temp\Charleston
| MD5 | ecdf78d1f969073a83acb1e32ba80a05 |
| SHA1 | e547ae72ce76d015dd5f2b41eecda246eae3720c |
| SHA256 | 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1 |
| SHA512 | 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d |
C:\Users\Admin\AppData\Local\Temp\Turn
| MD5 | 8bc214a5383ab3532a20b52ac5624501 |
| SHA1 | 4d0e206963a38de8c54785847bd935218729f296 |
| SHA256 | d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0 |
| SHA512 | 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445 |
C:\Users\Admin\AppData\Local\Temp\Infection
| MD5 | bfa650e559e2a6c7ed47bfccf27d4cbb |
| SHA1 | 869f87feb559cfa55d28dc75f9cd01a458774cec |
| SHA256 | 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af |
| SHA512 | 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9 |
C:\Users\Admin\AppData\Local\Temp\Wool
| MD5 | e17b22ee13a0359fcc5e72e312177b73 |
| SHA1 | f1f7482a1674ff2b35f4dc75861dde4d6560ccb5 |
| SHA256 | 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a |
| SHA512 | 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48 |
C:\Users\Admin\AppData\Local\Temp\Wanted
| MD5 | 2bc8cd3cd9520b534f5c7a2b29d43476 |
| SHA1 | 8d19c65db42fbf5432942af24176ec0428eb03dd |
| SHA256 | 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577 |
| SHA512 | e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38 |
C:\Users\Admin\AppData\Local\Temp\Planets
| MD5 | 8b8508d4de0fccf374111ddb5079207c |
| SHA1 | e358b9489aac68dc51097d7680b5df2542dda3d9 |
| SHA256 | 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1 |
| SHA512 | 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe |
C:\Users\Admin\AppData\Local\Temp\Sixth
| MD5 | 88023976d5464e26d23fa462ecf19a24 |
| SHA1 | 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873 |
| SHA256 | ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f |
| SHA512 | 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4 |
C:\Users\Admin\AppData\Local\Temp\Wallpapers
| MD5 | 702274c76f1e8b5e3cf6eb9a64bd7040 |
| SHA1 | 7ada91befe55505e32d2bb64c47e8b1725525cad |
| SHA256 | 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149 |
| SHA512 | 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa |
C:\Users\Admin\AppData\Local\Temp\Keywords
| MD5 | 902bb2bacc6ea96547fc1383a019761f |
| SHA1 | b712a36338a7e37d936489db47844657e3d531af |
| SHA256 | fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5 |
| SHA512 | f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a |
C:\Users\Admin\AppData\Local\Temp\Definition
| MD5 | 0255c33cd5087c24e5b4f0d82abae604 |
| SHA1 | 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1 |
| SHA256 | bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95 |
| SHA512 | cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd |
C:\Users\Admin\AppData\Local\Temp\Almost
| MD5 | 83cf5ee2c502f847da364a9e6a4245df |
| SHA1 | 8fc51be5da0a57ef671ddf65bf5b0db444a135b9 |
| SHA256 | 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f |
| SHA512 | d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f |
C:\Users\Admin\AppData\Local\Temp\Astrology
| MD5 | 8ce87c92b9692122e0869a296721f672 |
| SHA1 | 8bf412633ba9798702dea6c3c56e0f219d75f112 |
| SHA256 | 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1 |
| SHA512 | b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d |
C:\Users\Admin\AppData\Local\Temp\Harley
| MD5 | 7d022467103662db65311c796de33eb7 |
| SHA1 | c8b52feeaaf322b16238787f7837da1b4be95118 |
| SHA256 | 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100 |
| SHA512 | de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32 |
C:\Users\Admin\AppData\Local\Temp\Records
| MD5 | c4dbb9a4f3fcfa63357cfdeec29d5b93 |
| SHA1 | 6a015af18e535919433bc696463423d541dbc8dc |
| SHA256 | f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012 |
| SHA512 | 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089 |
C:\Users\Admin\AppData\Local\Temp\Register
| MD5 | fd13359962e436976f7446c817722953 |
| SHA1 | 23b784d095acd9478c659fef3e5967d893029fef |
| SHA256 | 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7 |
| SHA512 | 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1 |
C:\Users\Admin\AppData\Local\Temp\Angels
| MD5 | a593d3200e5eb73c1d0cd6a8572d9820 |
| SHA1 | eaaa702a857179ba67d5d30010653b53c1bcae77 |
| SHA256 | f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf |
| SHA512 | d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b |
C:\Users\Admin\AppData\Local\Temp\Degrees
| MD5 | 27b98647e42753e5bb64e27e42c36a0b |
| SHA1 | 5ffc231a7584a649c068950cfe13649391364fb5 |
| SHA256 | 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6 |
| SHA512 | d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0 |
C:\Users\Admin\AppData\Local\Temp\Engines
| MD5 | fbb3aa92f3bcd2440080205790ba1859 |
| SHA1 | dc993e62a41d0a3467ce270938fd9fe0c770f727 |
| SHA256 | 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba |
| SHA512 | 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469 |
\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\543333\f
| MD5 | 0596c72d30b87d69ced68aaf078b4694 |
| SHA1 | 17d2ddcdfd4e353f142c2de12b97ee92adc550a6 |
| SHA256 | f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47 |
| SHA512 | 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1 |
memory/2676-87-0x0000000000690000-0x0000000000870000-memory.dmp
memory/2676-88-0x0000000000690000-0x0000000000870000-memory.dmp
memory/2676-90-0x0000000000690000-0x0000000000870000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 11:45
Reported
2024-08-29 11:54
Platform
win10-20240404-en
Max time kernel
297s
Max time network
321s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 424 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543333
C:\Windows\SysWOW64\findstr.exe
findstr /V "ZambiaExpressionEdWarnings" Organizational
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Knowledgestorm.pif f
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Opinion
| MD5 | 14cc1fb9d1af48eefbf8886f7afb6aaf |
| SHA1 | 5c3f6bd7d25302838faeac6235d11d29a7e148d9 |
| SHA256 | 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022 |
| SHA512 | cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13 |
C:\Users\Admin\AppData\Local\Temp\Organizational
| MD5 | 7b8287c0afd0f089d462d20227527313 |
| SHA1 | 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9 |
| SHA256 | 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604 |
| SHA512 | 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01 |
C:\Users\Admin\AppData\Local\Temp\Administrator
| MD5 | d4fdc8b32df2a7aeff68f050ff4e99f5 |
| SHA1 | 596c4fcdabd92baf7306afe28ad4769210c8c61e |
| SHA256 | ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670 |
| SHA512 | 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328 |
C:\Users\Admin\AppData\Local\Temp\Offerings
| MD5 | c1b98968af3ca9958da994e0d2b64ca5 |
| SHA1 | 86a2c66038306cea65319eda4dc28e9ca416ecba |
| SHA256 | 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a |
| SHA512 | 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a |
C:\Users\Admin\AppData\Local\Temp\Erotic
| MD5 | baa394d9b7256b54d2a17aef107d6587 |
| SHA1 | ebb8b2974d73f4259fb01132ffaa9e93f9e32784 |
| SHA256 | ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc |
| SHA512 | ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0 |
C:\Users\Admin\AppData\Local\Temp\Worldwide
| MD5 | 0a51acf518d3af32972473ad935785b2 |
| SHA1 | 2890597974297152d974f0bc05abd0689dcbe140 |
| SHA256 | 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf |
| SHA512 | 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 6935c3ee488f7e35515d746c51ed5e63 |
| SHA1 | eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096 |
| SHA256 | c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6 |
| SHA512 | f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81 |
C:\Users\Admin\AppData\Local\Temp\Nylon
| MD5 | 7ec83d9c67fdabe8d1a30d598b074796 |
| SHA1 | 909f7cc320e0584037121527c3916b633f9e1f9f |
| SHA256 | 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1 |
| SHA512 | d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a |
C:\Users\Admin\AppData\Local\Temp\Disturbed
| MD5 | 19d61e16dada8cd392e3c8bf745776d9 |
| SHA1 | ebbd31fe57f9b77b383326b42e166340c0cf721b |
| SHA256 | 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b |
| SHA512 | 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03 |
C:\Users\Admin\AppData\Local\Temp\Thomas
| MD5 | 7fe92d1a548602fde1565d712bda2c31 |
| SHA1 | 6b0f68dfef457c84c8c8de12a81356d34a745a01 |
| SHA256 | 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4 |
| SHA512 | bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d |
C:\Users\Admin\AppData\Local\Temp\Will
| MD5 | 1a91d5a1c1770b7f0f9cfce2e2e033c3 |
| SHA1 | 9bab62fa38126f91be59f6bc42b18c7d2797abc2 |
| SHA256 | 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5 |
| SHA512 | 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557 |
C:\Users\Admin\AppData\Local\Temp\Whenever
| MD5 | e4aa61dd9135241d399813916b7810d9 |
| SHA1 | 59f3a9e4706b7c8b360d89fc25712b25a4a29380 |
| SHA256 | 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1 |
| SHA512 | 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183 |
C:\Users\Admin\AppData\Local\Temp\Registered
| MD5 | df64d534153e3209f9205105677a7926 |
| SHA1 | 78a92c5660604a1806cff15b390928a60bc665a2 |
| SHA256 | 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590 |
| SHA512 | 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda |
C:\Users\Admin\AppData\Local\Temp\Clips
| MD5 | 07b6cca17ff3d67686dcb686c7397959 |
| SHA1 | 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a |
| SHA256 | 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4 |
| SHA512 | a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5 |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 62691926c398272b060aca24576fa46a |
| SHA1 | 8bf7fb2b2df52820ee9ef46790e70ca3b4945add |
| SHA256 | d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1 |
| SHA512 | 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047 |
C:\Users\Admin\AppData\Local\Temp\Route
| MD5 | 8494c7d9d337a740a2b78b91d6a25741 |
| SHA1 | 95623c0ae4cda059b11cff25ea05324c4dc9ca7d |
| SHA256 | ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2 |
| SHA512 | b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577 |
C:\Users\Admin\AppData\Local\Temp\Concert
| MD5 | 40bd98de2c6eafc9393dea5648237efb |
| SHA1 | f920b8feac96be36ee27fa187ccbaf5156bd8969 |
| SHA256 | 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd |
| SHA512 | 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d |
C:\Users\Admin\AppData\Local\Temp\Challenged
| MD5 | 95a29849fca591f7dd60ce737d9fad75 |
| SHA1 | 0d09edf10128e174ca9010838a43247e3786ba4e |
| SHA256 | 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326 |
| SHA512 | d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d |
C:\Users\Admin\AppData\Local\Temp\Bibliography
| MD5 | cbabde4bcb3d6b2a1a62629d3fae6942 |
| SHA1 | 062f09fd85db0324294b901f9a6a4b1a207d46e8 |
| SHA256 | 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436 |
| SHA512 | 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093 |
C:\Users\Admin\AppData\Local\Temp\Cubic
| MD5 | 34a6728cd9f73abf7a91f66252cf0829 |
| SHA1 | 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c |
| SHA256 | 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43 |
| SHA512 | 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf |
C:\Users\Admin\AppData\Local\Temp\Charleston
| MD5 | ecdf78d1f969073a83acb1e32ba80a05 |
| SHA1 | e547ae72ce76d015dd5f2b41eecda246eae3720c |
| SHA256 | 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1 |
| SHA512 | 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d |
C:\Users\Admin\AppData\Local\Temp\Turn
| MD5 | 8bc214a5383ab3532a20b52ac5624501 |
| SHA1 | 4d0e206963a38de8c54785847bd935218729f296 |
| SHA256 | d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0 |
| SHA512 | 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445 |
C:\Users\Admin\AppData\Local\Temp\Infection
| MD5 | bfa650e559e2a6c7ed47bfccf27d4cbb |
| SHA1 | 869f87feb559cfa55d28dc75f9cd01a458774cec |
| SHA256 | 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af |
| SHA512 | 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9 |
C:\Users\Admin\AppData\Local\Temp\Wool
| MD5 | e17b22ee13a0359fcc5e72e312177b73 |
| SHA1 | f1f7482a1674ff2b35f4dc75861dde4d6560ccb5 |
| SHA256 | 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a |
| SHA512 | 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48 |
C:\Users\Admin\AppData\Local\Temp\Planets
| MD5 | 8b8508d4de0fccf374111ddb5079207c |
| SHA1 | e358b9489aac68dc51097d7680b5df2542dda3d9 |
| SHA256 | 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1 |
| SHA512 | 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe |
C:\Users\Admin\AppData\Local\Temp\Wanted
| MD5 | 2bc8cd3cd9520b534f5c7a2b29d43476 |
| SHA1 | 8d19c65db42fbf5432942af24176ec0428eb03dd |
| SHA256 | 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577 |
| SHA512 | e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38 |
C:\Users\Admin\AppData\Local\Temp\Sixth
| MD5 | 88023976d5464e26d23fa462ecf19a24 |
| SHA1 | 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873 |
| SHA256 | ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f |
| SHA512 | 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4 |
C:\Users\Admin\AppData\Local\Temp\Wallpapers
| MD5 | 702274c76f1e8b5e3cf6eb9a64bd7040 |
| SHA1 | 7ada91befe55505e32d2bb64c47e8b1725525cad |
| SHA256 | 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149 |
| SHA512 | 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa |
C:\Users\Admin\AppData\Local\Temp\Keywords
| MD5 | 902bb2bacc6ea96547fc1383a019761f |
| SHA1 | b712a36338a7e37d936489db47844657e3d531af |
| SHA256 | fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5 |
| SHA512 | f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a |
C:\Users\Admin\AppData\Local\Temp\Almost
| MD5 | 83cf5ee2c502f847da364a9e6a4245df |
| SHA1 | 8fc51be5da0a57ef671ddf65bf5b0db444a135b9 |
| SHA256 | 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f |
| SHA512 | d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f |
C:\Users\Admin\AppData\Local\Temp\Astrology
| MD5 | 8ce87c92b9692122e0869a296721f672 |
| SHA1 | 8bf412633ba9798702dea6c3c56e0f219d75f112 |
| SHA256 | 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1 |
| SHA512 | b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d |
C:\Users\Admin\AppData\Local\Temp\Definition
| MD5 | 0255c33cd5087c24e5b4f0d82abae604 |
| SHA1 | 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1 |
| SHA256 | bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95 |
| SHA512 | cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd |
C:\Users\Admin\AppData\Local\Temp\Harley
| MD5 | 7d022467103662db65311c796de33eb7 |
| SHA1 | c8b52feeaaf322b16238787f7837da1b4be95118 |
| SHA256 | 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100 |
| SHA512 | de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32 |
C:\Users\Admin\AppData\Local\Temp\Records
| MD5 | c4dbb9a4f3fcfa63357cfdeec29d5b93 |
| SHA1 | 6a015af18e535919433bc696463423d541dbc8dc |
| SHA256 | f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012 |
| SHA512 | 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089 |
C:\Users\Admin\AppData\Local\Temp\Angels
| MD5 | a593d3200e5eb73c1d0cd6a8572d9820 |
| SHA1 | eaaa702a857179ba67d5d30010653b53c1bcae77 |
| SHA256 | f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf |
| SHA512 | d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b |
C:\Users\Admin\AppData\Local\Temp\Register
| MD5 | fd13359962e436976f7446c817722953 |
| SHA1 | 23b784d095acd9478c659fef3e5967d893029fef |
| SHA256 | 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7 |
| SHA512 | 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1 |
C:\Users\Admin\AppData\Local\Temp\Degrees
| MD5 | 27b98647e42753e5bb64e27e42c36a0b |
| SHA1 | 5ffc231a7584a649c068950cfe13649391364fb5 |
| SHA256 | 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6 |
| SHA512 | d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0 |
C:\Users\Admin\AppData\Local\Temp\Engines
| MD5 | fbb3aa92f3bcd2440080205790ba1859 |
| SHA1 | dc993e62a41d0a3467ce270938fd9fe0c770f727 |
| SHA256 | 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba |
| SHA512 | 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469 |
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\543333\f
| MD5 | 0596c72d30b87d69ced68aaf078b4694 |
| SHA1 | 17d2ddcdfd4e353f142c2de12b97ee92adc550a6 |
| SHA256 | f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47 |
| SHA512 | 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1 |
memory/4344-84-0x0000000000A00000-0x0000000000BE0000-memory.dmp
memory/4344-85-0x0000000000A00000-0x0000000000BE0000-memory.dmp
memory/4344-87-0x0000000000A00000-0x0000000000BE0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-29 11:45
Reported
2024-08-29 11:54
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
316s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1444 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543333
C:\Windows\SysWOW64\findstr.exe
findstr /V "ZambiaExpressionEdWarnings" Organizational
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Knowledgestorm.pif f
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Opinion
| MD5 | 14cc1fb9d1af48eefbf8886f7afb6aaf |
| SHA1 | 5c3f6bd7d25302838faeac6235d11d29a7e148d9 |
| SHA256 | 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022 |
| SHA512 | cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13 |
C:\Users\Admin\AppData\Local\Temp\Organizational
| MD5 | 7b8287c0afd0f089d462d20227527313 |
| SHA1 | 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9 |
| SHA256 | 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604 |
| SHA512 | 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01 |
C:\Users\Admin\AppData\Local\Temp\Administrator
| MD5 | d4fdc8b32df2a7aeff68f050ff4e99f5 |
| SHA1 | 596c4fcdabd92baf7306afe28ad4769210c8c61e |
| SHA256 | ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670 |
| SHA512 | 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328 |
C:\Users\Admin\AppData\Local\Temp\Offerings
| MD5 | c1b98968af3ca9958da994e0d2b64ca5 |
| SHA1 | 86a2c66038306cea65319eda4dc28e9ca416ecba |
| SHA256 | 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a |
| SHA512 | 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a |
C:\Users\Admin\AppData\Local\Temp\Erotic
| MD5 | baa394d9b7256b54d2a17aef107d6587 |
| SHA1 | ebb8b2974d73f4259fb01132ffaa9e93f9e32784 |
| SHA256 | ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc |
| SHA512 | ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0 |
C:\Users\Admin\AppData\Local\Temp\Worldwide
| MD5 | 0a51acf518d3af32972473ad935785b2 |
| SHA1 | 2890597974297152d974f0bc05abd0689dcbe140 |
| SHA256 | 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf |
| SHA512 | 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454 |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 6935c3ee488f7e35515d746c51ed5e63 |
| SHA1 | eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096 |
| SHA256 | c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6 |
| SHA512 | f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81 |
C:\Users\Admin\AppData\Local\Temp\Nylon
| MD5 | 7ec83d9c67fdabe8d1a30d598b074796 |
| SHA1 | 909f7cc320e0584037121527c3916b633f9e1f9f |
| SHA256 | 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1 |
| SHA512 | d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a |
C:\Users\Admin\AppData\Local\Temp\Disturbed
| MD5 | 19d61e16dada8cd392e3c8bf745776d9 |
| SHA1 | ebbd31fe57f9b77b383326b42e166340c0cf721b |
| SHA256 | 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b |
| SHA512 | 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03 |
C:\Users\Admin\AppData\Local\Temp\Thomas
| MD5 | 7fe92d1a548602fde1565d712bda2c31 |
| SHA1 | 6b0f68dfef457c84c8c8de12a81356d34a745a01 |
| SHA256 | 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4 |
| SHA512 | bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d |
C:\Users\Admin\AppData\Local\Temp\Will
| MD5 | 1a91d5a1c1770b7f0f9cfce2e2e033c3 |
| SHA1 | 9bab62fa38126f91be59f6bc42b18c7d2797abc2 |
| SHA256 | 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5 |
| SHA512 | 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557 |
C:\Users\Admin\AppData\Local\Temp\Whenever
| MD5 | e4aa61dd9135241d399813916b7810d9 |
| SHA1 | 59f3a9e4706b7c8b360d89fc25712b25a4a29380 |
| SHA256 | 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1 |
| SHA512 | 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183 |
C:\Users\Admin\AppData\Local\Temp\Registered
| MD5 | df64d534153e3209f9205105677a7926 |
| SHA1 | 78a92c5660604a1806cff15b390928a60bc665a2 |
| SHA256 | 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590 |
| SHA512 | 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda |
C:\Users\Admin\AppData\Local\Temp\Clips
| MD5 | 07b6cca17ff3d67686dcb686c7397959 |
| SHA1 | 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a |
| SHA256 | 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4 |
| SHA512 | a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5 |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 62691926c398272b060aca24576fa46a |
| SHA1 | 8bf7fb2b2df52820ee9ef46790e70ca3b4945add |
| SHA256 | d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1 |
| SHA512 | 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047 |
C:\Users\Admin\AppData\Local\Temp\Route
| MD5 | 8494c7d9d337a740a2b78b91d6a25741 |
| SHA1 | 95623c0ae4cda059b11cff25ea05324c4dc9ca7d |
| SHA256 | ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2 |
| SHA512 | b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577 |
C:\Users\Admin\AppData\Local\Temp\Concert
| MD5 | 40bd98de2c6eafc9393dea5648237efb |
| SHA1 | f920b8feac96be36ee27fa187ccbaf5156bd8969 |
| SHA256 | 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd |
| SHA512 | 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d |
C:\Users\Admin\AppData\Local\Temp\Challenged
| MD5 | 95a29849fca591f7dd60ce737d9fad75 |
| SHA1 | 0d09edf10128e174ca9010838a43247e3786ba4e |
| SHA256 | 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326 |
| SHA512 | d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d |
C:\Users\Admin\AppData\Local\Temp\Bibliography
| MD5 | cbabde4bcb3d6b2a1a62629d3fae6942 |
| SHA1 | 062f09fd85db0324294b901f9a6a4b1a207d46e8 |
| SHA256 | 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436 |
| SHA512 | 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093 |
C:\Users\Admin\AppData\Local\Temp\Cubic
| MD5 | 34a6728cd9f73abf7a91f66252cf0829 |
| SHA1 | 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c |
| SHA256 | 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43 |
| SHA512 | 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf |
C:\Users\Admin\AppData\Local\Temp\Charleston
| MD5 | ecdf78d1f969073a83acb1e32ba80a05 |
| SHA1 | e547ae72ce76d015dd5f2b41eecda246eae3720c |
| SHA256 | 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1 |
| SHA512 | 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d |
C:\Users\Admin\AppData\Local\Temp\Turn
| MD5 | 8bc214a5383ab3532a20b52ac5624501 |
| SHA1 | 4d0e206963a38de8c54785847bd935218729f296 |
| SHA256 | d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0 |
| SHA512 | 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445 |
C:\Users\Admin\AppData\Local\Temp\Infection
| MD5 | bfa650e559e2a6c7ed47bfccf27d4cbb |
| SHA1 | 869f87feb559cfa55d28dc75f9cd01a458774cec |
| SHA256 | 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af |
| SHA512 | 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9 |
C:\Users\Admin\AppData\Local\Temp\Wool
| MD5 | e17b22ee13a0359fcc5e72e312177b73 |
| SHA1 | f1f7482a1674ff2b35f4dc75861dde4d6560ccb5 |
| SHA256 | 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a |
| SHA512 | 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48 |
C:\Users\Admin\AppData\Local\Temp\Wanted
| MD5 | 2bc8cd3cd9520b534f5c7a2b29d43476 |
| SHA1 | 8d19c65db42fbf5432942af24176ec0428eb03dd |
| SHA256 | 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577 |
| SHA512 | e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38 |
C:\Users\Admin\AppData\Local\Temp\Planets
| MD5 | 8b8508d4de0fccf374111ddb5079207c |
| SHA1 | e358b9489aac68dc51097d7680b5df2542dda3d9 |
| SHA256 | 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1 |
| SHA512 | 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe |
C:\Users\Admin\AppData\Local\Temp\Sixth
| MD5 | 88023976d5464e26d23fa462ecf19a24 |
| SHA1 | 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873 |
| SHA256 | ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f |
| SHA512 | 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4 |
C:\Users\Admin\AppData\Local\Temp\Wallpapers
| MD5 | 702274c76f1e8b5e3cf6eb9a64bd7040 |
| SHA1 | 7ada91befe55505e32d2bb64c47e8b1725525cad |
| SHA256 | 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149 |
| SHA512 | 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa |
C:\Users\Admin\AppData\Local\Temp\Keywords
| MD5 | 902bb2bacc6ea96547fc1383a019761f |
| SHA1 | b712a36338a7e37d936489db47844657e3d531af |
| SHA256 | fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5 |
| SHA512 | f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a |
C:\Users\Admin\AppData\Local\Temp\Definition
| MD5 | 0255c33cd5087c24e5b4f0d82abae604 |
| SHA1 | 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1 |
| SHA256 | bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95 |
| SHA512 | cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd |
C:\Users\Admin\AppData\Local\Temp\Almost
| MD5 | 83cf5ee2c502f847da364a9e6a4245df |
| SHA1 | 8fc51be5da0a57ef671ddf65bf5b0db444a135b9 |
| SHA256 | 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f |
| SHA512 | d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f |
C:\Users\Admin\AppData\Local\Temp\Astrology
| MD5 | 8ce87c92b9692122e0869a296721f672 |
| SHA1 | 8bf412633ba9798702dea6c3c56e0f219d75f112 |
| SHA256 | 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1 |
| SHA512 | b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d |
C:\Users\Admin\AppData\Local\Temp\Harley
| MD5 | 7d022467103662db65311c796de33eb7 |
| SHA1 | c8b52feeaaf322b16238787f7837da1b4be95118 |
| SHA256 | 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100 |
| SHA512 | de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32 |
C:\Users\Admin\AppData\Local\Temp\Records
| MD5 | c4dbb9a4f3fcfa63357cfdeec29d5b93 |
| SHA1 | 6a015af18e535919433bc696463423d541dbc8dc |
| SHA256 | f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012 |
| SHA512 | 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089 |
C:\Users\Admin\AppData\Local\Temp\Register
| MD5 | fd13359962e436976f7446c817722953 |
| SHA1 | 23b784d095acd9478c659fef3e5967d893029fef |
| SHA256 | 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7 |
| SHA512 | 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1 |
C:\Users\Admin\AppData\Local\Temp\Angels
| MD5 | a593d3200e5eb73c1d0cd6a8572d9820 |
| SHA1 | eaaa702a857179ba67d5d30010653b53c1bcae77 |
| SHA256 | f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf |
| SHA512 | d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b |
C:\Users\Admin\AppData\Local\Temp\Degrees
| MD5 | 27b98647e42753e5bb64e27e42c36a0b |
| SHA1 | 5ffc231a7584a649c068950cfe13649391364fb5 |
| SHA256 | 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6 |
| SHA512 | d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0 |
C:\Users\Admin\AppData\Local\Temp\Engines
| MD5 | fbb3aa92f3bcd2440080205790ba1859 |
| SHA1 | dc993e62a41d0a3467ce270938fd9fe0c770f727 |
| SHA256 | 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba |
| SHA512 | 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469 |
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\543333\f
| MD5 | 0596c72d30b87d69ced68aaf078b4694 |
| SHA1 | 17d2ddcdfd4e353f142c2de12b97ee92adc550a6 |
| SHA256 | f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47 |
| SHA512 | 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1 |
memory/2284-90-0x0000000001400000-0x00000000015E0000-memory.dmp
memory/2284-91-0x0000000001400000-0x00000000015E0000-memory.dmp
memory/2284-93-0x0000000001400000-0x00000000015E0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-29 11:45
Reported
2024-08-29 11:54
Platform
win11-20240802-en
Max time kernel
221s
Max time network
320s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4108 set thread context of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 543333
C:\Windows\SysWOW64\findstr.exe
findstr /V "ZambiaExpressionEdWarnings" Organizational
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Knowledgestorm.pif f
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
Network
| Country | Destination | Domain | Proto |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Opinion
| MD5 | 14cc1fb9d1af48eefbf8886f7afb6aaf |
| SHA1 | 5c3f6bd7d25302838faeac6235d11d29a7e148d9 |
| SHA256 | 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022 |
| SHA512 | cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13 |
C:\Users\Admin\AppData\Local\Temp\Organizational
| MD5 | 7b8287c0afd0f089d462d20227527313 |
| SHA1 | 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9 |
| SHA256 | 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604 |
| SHA512 | 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01 |
C:\Users\Admin\AppData\Local\Temp\Administrator
| MD5 | d4fdc8b32df2a7aeff68f050ff4e99f5 |
| SHA1 | 596c4fcdabd92baf7306afe28ad4769210c8c61e |
| SHA256 | ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670 |
| SHA512 | 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328 |
C:\Users\Admin\AppData\Local\Temp\Offerings
| MD5 | c1b98968af3ca9958da994e0d2b64ca5 |
| SHA1 | 86a2c66038306cea65319eda4dc28e9ca416ecba |
| SHA256 | 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a |
| SHA512 | 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a |
C:\Users\Admin\AppData\Local\Temp\Springer
| MD5 | 6935c3ee488f7e35515d746c51ed5e63 |
| SHA1 | eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096 |
| SHA256 | c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6 |
| SHA512 | f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81 |
C:\Users\Admin\AppData\Local\Temp\Nylon
| MD5 | 7ec83d9c67fdabe8d1a30d598b074796 |
| SHA1 | 909f7cc320e0584037121527c3916b633f9e1f9f |
| SHA256 | 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1 |
| SHA512 | d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a |
C:\Users\Admin\AppData\Local\Temp\Worldwide
| MD5 | 0a51acf518d3af32972473ad935785b2 |
| SHA1 | 2890597974297152d974f0bc05abd0689dcbe140 |
| SHA256 | 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf |
| SHA512 | 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454 |
C:\Users\Admin\AppData\Local\Temp\Erotic
| MD5 | baa394d9b7256b54d2a17aef107d6587 |
| SHA1 | ebb8b2974d73f4259fb01132ffaa9e93f9e32784 |
| SHA256 | ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc |
| SHA512 | ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0 |
C:\Users\Admin\AppData\Local\Temp\Disturbed
| MD5 | 19d61e16dada8cd392e3c8bf745776d9 |
| SHA1 | ebbd31fe57f9b77b383326b42e166340c0cf721b |
| SHA256 | 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b |
| SHA512 | 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03 |
C:\Users\Admin\AppData\Local\Temp\Thomas
| MD5 | 7fe92d1a548602fde1565d712bda2c31 |
| SHA1 | 6b0f68dfef457c84c8c8de12a81356d34a745a01 |
| SHA256 | 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4 |
| SHA512 | bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d |
C:\Users\Admin\AppData\Local\Temp\Whenever
| MD5 | e4aa61dd9135241d399813916b7810d9 |
| SHA1 | 59f3a9e4706b7c8b360d89fc25712b25a4a29380 |
| SHA256 | 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1 |
| SHA512 | 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183 |
C:\Users\Admin\AppData\Local\Temp\Clips
| MD5 | 07b6cca17ff3d67686dcb686c7397959 |
| SHA1 | 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a |
| SHA256 | 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4 |
| SHA512 | a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5 |
C:\Users\Admin\AppData\Local\Temp\Challenged
| MD5 | 95a29849fca591f7dd60ce737d9fad75 |
| SHA1 | 0d09edf10128e174ca9010838a43247e3786ba4e |
| SHA256 | 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326 |
| SHA512 | d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d |
C:\Users\Admin\AppData\Local\Temp\Bibliography
| MD5 | cbabde4bcb3d6b2a1a62629d3fae6942 |
| SHA1 | 062f09fd85db0324294b901f9a6a4b1a207d46e8 |
| SHA256 | 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436 |
| SHA512 | 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093 |
C:\Users\Admin\AppData\Local\Temp\Concert
| MD5 | 40bd98de2c6eafc9393dea5648237efb |
| SHA1 | f920b8feac96be36ee27fa187ccbaf5156bd8969 |
| SHA256 | 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd |
| SHA512 | 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d |
C:\Users\Admin\AppData\Local\Temp\Route
| MD5 | 8494c7d9d337a740a2b78b91d6a25741 |
| SHA1 | 95623c0ae4cda059b11cff25ea05324c4dc9ca7d |
| SHA256 | ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2 |
| SHA512 | b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577 |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 62691926c398272b060aca24576fa46a |
| SHA1 | 8bf7fb2b2df52820ee9ef46790e70ca3b4945add |
| SHA256 | d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1 |
| SHA512 | 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047 |
C:\Users\Admin\AppData\Local\Temp\Registered
| MD5 | df64d534153e3209f9205105677a7926 |
| SHA1 | 78a92c5660604a1806cff15b390928a60bc665a2 |
| SHA256 | 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590 |
| SHA512 | 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda |
C:\Users\Admin\AppData\Local\Temp\Will
| MD5 | 1a91d5a1c1770b7f0f9cfce2e2e033c3 |
| SHA1 | 9bab62fa38126f91be59f6bc42b18c7d2797abc2 |
| SHA256 | 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5 |
| SHA512 | 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557 |
C:\Users\Admin\AppData\Local\Temp\Cubic
| MD5 | 34a6728cd9f73abf7a91f66252cf0829 |
| SHA1 | 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c |
| SHA256 | 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43 |
| SHA512 | 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf |
C:\Users\Admin\AppData\Local\Temp\Charleston
| MD5 | ecdf78d1f969073a83acb1e32ba80a05 |
| SHA1 | e547ae72ce76d015dd5f2b41eecda246eae3720c |
| SHA256 | 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1 |
| SHA512 | 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d |
C:\Users\Admin\AppData\Local\Temp\Turn
| MD5 | 8bc214a5383ab3532a20b52ac5624501 |
| SHA1 | 4d0e206963a38de8c54785847bd935218729f296 |
| SHA256 | d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0 |
| SHA512 | 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445 |
C:\Users\Admin\AppData\Local\Temp\Infection
| MD5 | bfa650e559e2a6c7ed47bfccf27d4cbb |
| SHA1 | 869f87feb559cfa55d28dc75f9cd01a458774cec |
| SHA256 | 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af |
| SHA512 | 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9 |
C:\Users\Admin\AppData\Local\Temp\Wool
| MD5 | e17b22ee13a0359fcc5e72e312177b73 |
| SHA1 | f1f7482a1674ff2b35f4dc75861dde4d6560ccb5 |
| SHA256 | 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a |
| SHA512 | 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48 |
C:\Users\Admin\AppData\Local\Temp\Wanted
| MD5 | 2bc8cd3cd9520b534f5c7a2b29d43476 |
| SHA1 | 8d19c65db42fbf5432942af24176ec0428eb03dd |
| SHA256 | 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577 |
| SHA512 | e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38 |
C:\Users\Admin\AppData\Local\Temp\Astrology
| MD5 | 8ce87c92b9692122e0869a296721f672 |
| SHA1 | 8bf412633ba9798702dea6c3c56e0f219d75f112 |
| SHA256 | 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1 |
| SHA512 | b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d |
C:\Users\Admin\AppData\Local\Temp\Almost
| MD5 | 83cf5ee2c502f847da364a9e6a4245df |
| SHA1 | 8fc51be5da0a57ef671ddf65bf5b0db444a135b9 |
| SHA256 | 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f |
| SHA512 | d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f |
C:\Users\Admin\AppData\Local\Temp\Definition
| MD5 | 0255c33cd5087c24e5b4f0d82abae604 |
| SHA1 | 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1 |
| SHA256 | bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95 |
| SHA512 | cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd |
C:\Users\Admin\AppData\Local\Temp\Keywords
| MD5 | 902bb2bacc6ea96547fc1383a019761f |
| SHA1 | b712a36338a7e37d936489db47844657e3d531af |
| SHA256 | fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5 |
| SHA512 | f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a |
C:\Users\Admin\AppData\Local\Temp\Wallpapers
| MD5 | 702274c76f1e8b5e3cf6eb9a64bd7040 |
| SHA1 | 7ada91befe55505e32d2bb64c47e8b1725525cad |
| SHA256 | 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149 |
| SHA512 | 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa |
C:\Users\Admin\AppData\Local\Temp\Sixth
| MD5 | 88023976d5464e26d23fa462ecf19a24 |
| SHA1 | 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873 |
| SHA256 | ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f |
| SHA512 | 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4 |
C:\Users\Admin\AppData\Local\Temp\Planets
| MD5 | 8b8508d4de0fccf374111ddb5079207c |
| SHA1 | e358b9489aac68dc51097d7680b5df2542dda3d9 |
| SHA256 | 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1 |
| SHA512 | 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe |
C:\Users\Admin\AppData\Local\Temp\Harley
| MD5 | 7d022467103662db65311c796de33eb7 |
| SHA1 | c8b52feeaaf322b16238787f7837da1b4be95118 |
| SHA256 | 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100 |
| SHA512 | de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32 |
C:\Users\Admin\AppData\Local\Temp\Degrees
| MD5 | 27b98647e42753e5bb64e27e42c36a0b |
| SHA1 | 5ffc231a7584a649c068950cfe13649391364fb5 |
| SHA256 | 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6 |
| SHA512 | d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0 |
C:\Users\Admin\AppData\Local\Temp\Angels
| MD5 | a593d3200e5eb73c1d0cd6a8572d9820 |
| SHA1 | eaaa702a857179ba67d5d30010653b53c1bcae77 |
| SHA256 | f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf |
| SHA512 | d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b |
C:\Users\Admin\AppData\Local\Temp\Register
| MD5 | fd13359962e436976f7446c817722953 |
| SHA1 | 23b784d095acd9478c659fef3e5967d893029fef |
| SHA256 | 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7 |
| SHA512 | 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1 |
C:\Users\Admin\AppData\Local\Temp\Records
| MD5 | c4dbb9a4f3fcfa63357cfdeec29d5b93 |
| SHA1 | 6a015af18e535919433bc696463423d541dbc8dc |
| SHA256 | f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012 |
| SHA512 | 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089 |
C:\Users\Admin\AppData\Local\Temp\Engines
| MD5 | fbb3aa92f3bcd2440080205790ba1859 |
| SHA1 | dc993e62a41d0a3467ce270938fd9fe0c770f727 |
| SHA256 | 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba |
| SHA512 | 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469 |
C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\543333\f
| MD5 | 0596c72d30b87d69ced68aaf078b4694 |
| SHA1 | 17d2ddcdfd4e353f142c2de12b97ee92adc550a6 |
| SHA256 | f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47 |
| SHA512 | 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1 |
memory/3560-84-0x0000000000650000-0x0000000000830000-memory.dmp
memory/3560-85-0x0000000000650000-0x0000000000830000-memory.dmp
memory/3560-87-0x0000000000650000-0x0000000000830000-memory.dmp