Malware Analysis Report

2024-10-23 21:42

Sample ID 240829-nw8a4a1hkr
Target File.rar
SHA256 b936dc76c796a7ec52e4ecae7c99f3982236c23aa163150f906191ea6a73a460
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b936dc76c796a7ec52e4ecae7c99f3982236c23aa163150f906191ea6a73a460

Threat Level: Shows suspicious behavior

The file File.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 11:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 11:45

Reported

2024-08-29 11:54

Platform

win7-20240708-en

Max time kernel

294s

Max time network

318s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1656 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2732 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2732 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2732 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2732 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 2732 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2732 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1656 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/2676-87-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2676-88-0x0000000000690000-0x0000000000870000-memory.dmp

memory/2676-90-0x0000000000690000-0x0000000000870000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-29 11:45

Reported

2024-08-29 11:54

Platform

win10-20240404-en

Max time kernel

297s

Max time network

321s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 424 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1564 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1564 wrote to memory of 424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1564 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1564 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1564 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 424 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 424 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 424 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 424 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 424 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/4344-84-0x0000000000A00000-0x0000000000BE0000-memory.dmp

memory/4344-85-0x0000000000A00000-0x0000000000BE0000-memory.dmp

memory/4344-87-0x0000000000A00000-0x0000000000BE0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-29 11:45

Reported

2024-08-29 11:54

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

316s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1444 set thread context of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3236 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3236 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3236 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 3236 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3236 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3236 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1444 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 1444 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 pYetpApCNDQefjpWtguAZfkisje.pYetpApCNDQefjpWtguAZfkisje udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/2284-90-0x0000000001400000-0x00000000015E0000-memory.dmp

memory/2284-91-0x0000000001400000-0x00000000015E0000-memory.dmp

memory/2284-93-0x0000000001400000-0x00000000015E0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-29 11:45

Reported

2024-08-29 11:54

Platform

win11-20240802-en

Max time kernel

221s

Max time network

320s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4108 set thread context of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4196 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 4244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4860 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4860 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4860 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4860 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4860 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4860 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4108 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4108 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4108 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4108 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif
PID 4108 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Opinion Opinion.bat & Opinion.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 543333

C:\Windows\SysWOW64\findstr.exe

findstr /V "ZambiaExpressionEdWarnings" Organizational

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Offerings + ..\Erotic + ..\Worldwide + ..\Springer + ..\Nylon + ..\Disturbed + ..\Thomas + ..\Will + ..\Whenever + ..\Registered + ..\Clips + ..\Wiki + ..\Route + ..\Concert + ..\Challenged + ..\Bibliography + ..\Cubic + ..\Charleston + ..\Turn + ..\Infection + ..\Wool + ..\Wanted + ..\Planets + ..\Sixth + ..\Wallpapers + ..\Keywords + ..\Definition + ..\Almost + ..\Astrology + ..\Harley + ..\Records + ..\Register + ..\Angels + ..\Degrees + ..\Engines f

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Knowledgestorm.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

Network

Country Destination Domain Proto
DE 92.246.139.82:80 92.246.139.82 tcp
US 104.26.9.59:443 api.myip.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Opinion

MD5 14cc1fb9d1af48eefbf8886f7afb6aaf
SHA1 5c3f6bd7d25302838faeac6235d11d29a7e148d9
SHA256 9cea2e15a0c817883475e3167af085e3526b3c42a3fdda11e903e73b53622022
SHA512 cb727deecefa26f60973bbed0202768bdd4e2352d64c72c55fe416fb163121030ea948fc6716a029358f68da36fe1110d31f714a6a62cf71f8be3e5187c35b13

C:\Users\Admin\AppData\Local\Temp\Organizational

MD5 7b8287c0afd0f089d462d20227527313
SHA1 6f0a58bdfcd864ae9cf978a2871fb9ac783db8f9
SHA256 88b14e31861a97e927f87ce510d488ac1d0f413208f131bfb8a5d3a05edb3604
SHA512 479edd99083f48e317f410942912b2c736bcfa597da814b7144a1d8e6e76c787779c8fd26a4ac21622428d9baf1601fb269f4d636b4608590fb1f46dd9c0bc01

C:\Users\Admin\AppData\Local\Temp\Administrator

MD5 d4fdc8b32df2a7aeff68f050ff4e99f5
SHA1 596c4fcdabd92baf7306afe28ad4769210c8c61e
SHA256 ded4baaa7579656e4a408085c8c285b1b9b82bcd31391546c70dbd759b3bb670
SHA512 91f41ef856fcee09b010e273396cc7156f69ad09be721a678cfaf211e75e8d02fd8d1dd8d5592ac5f8ba683f65aa7c9a27b2e6797aeed750f4b439ce3a23e328

C:\Users\Admin\AppData\Local\Temp\Offerings

MD5 c1b98968af3ca9958da994e0d2b64ca5
SHA1 86a2c66038306cea65319eda4dc28e9ca416ecba
SHA256 1b48fd8413fd1836dbac6221c65a49e18bad9a4555403bed8af527b6631b892a
SHA512 66910de09590d57c303b68c40ab91a763b0e1ef9f028d748924c20f7d10463ab402d205f863444419c8e844d120197b6dd714603b53e0c63d819cbc681e9c13a

C:\Users\Admin\AppData\Local\Temp\Springer

MD5 6935c3ee488f7e35515d746c51ed5e63
SHA1 eaf55bf9c7bb9cc97f4238f11a8c8cd3adc38096
SHA256 c6dbc6c01e053cab7c2c500ced5fe0991f65b3151ee9b229f851356070ffe0c6
SHA512 f600a38d3cf824d2c61a50c837b12b84e1fc860442d0f5fbea97e248f59bf0a9f64adeb3b61243d64360987e75fefe117e170bddb4eb262242bf59a419a17c81

C:\Users\Admin\AppData\Local\Temp\Nylon

MD5 7ec83d9c67fdabe8d1a30d598b074796
SHA1 909f7cc320e0584037121527c3916b633f9e1f9f
SHA256 8e4e1ac1e59fae7036e1e12161e4d36d5b945c93266bdca15555e8b07638cfc1
SHA512 d142c4850d387aff9961f7b64ff255e9f82f9ce1edd7a202133d33ef7a6892a2ef01271cd26ab15c6233b871feb688520e222bb9f2e967af23fa4b0a337f575a

C:\Users\Admin\AppData\Local\Temp\Worldwide

MD5 0a51acf518d3af32972473ad935785b2
SHA1 2890597974297152d974f0bc05abd0689dcbe140
SHA256 2208eeee1f5e33f9db603d3d9b1849f24267a089cf77dba801afb7ef8d304ccf
SHA512 60739e0a4fc0aca4c9b9520c17f7981dfe1359248a3d2b91c187bcce103f1655663dc594517bb719783a9c87e64c882c5abbea99668a2c941bb13490b8754454

C:\Users\Admin\AppData\Local\Temp\Erotic

MD5 baa394d9b7256b54d2a17aef107d6587
SHA1 ebb8b2974d73f4259fb01132ffaa9e93f9e32784
SHA256 ec971b967fde3bdd81bb45e1889ecaf54f8f30a8c381295d7784f1a1ac58a0bc
SHA512 ba091b2fdb30bcc77627f42be924aad55acadde20c5359f86c5b9e2498007aed4e89b700644f93dedc19009bca83655bf42c788d894d4594edd27baac2a6a5f0

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 19d61e16dada8cd392e3c8bf745776d9
SHA1 ebbd31fe57f9b77b383326b42e166340c0cf721b
SHA256 77f637712f089a9ec49659a7f276fdcff26aa9ed1e693e7ec050d7be62e3900b
SHA512 12980651bc3c4de9b6cc952332ccf1acabef3598ff1bb273d31d1802bbeb6a13fb7597a4063681f18dc74ee4ea1d072bd95c04619be7e4d6fa3f14940f73ba03

C:\Users\Admin\AppData\Local\Temp\Thomas

MD5 7fe92d1a548602fde1565d712bda2c31
SHA1 6b0f68dfef457c84c8c8de12a81356d34a745a01
SHA256 2657145b7fc09a627a14dafde0a87b0024ffb04c47b19df10f12297a4ee77fc4
SHA512 bc8acab6d66027dffddeb9fbd1c70c88b2d1f856b7684e7ceb7fb29d0ccde05e74fb9f39e467c60ae909de9d098ab3002eafab704b40d3ec45ea2ec116aa277d

C:\Users\Admin\AppData\Local\Temp\Whenever

MD5 e4aa61dd9135241d399813916b7810d9
SHA1 59f3a9e4706b7c8b360d89fc25712b25a4a29380
SHA256 2bfdac167fdd19565ab3afd97caaf70e2d30a836016139a8a10b5d9f7a23e6e1
SHA512 43c274570d565bfb3b04d43a6f2875eb14b5b474177007c1efcc9c01fc0a086a4898aff4a5ef0c127890c8260d259bbd5190a1903957aef44df4c109c3cd7183

C:\Users\Admin\AppData\Local\Temp\Clips

MD5 07b6cca17ff3d67686dcb686c7397959
SHA1 066c73a73e35e2ee2e06d1371bc00cbbfbba8a5a
SHA256 14ca81f6f08e451b234f1e91ca5865a696bac0cab3ea4aec4fee6dce1d244ef4
SHA512 a992feb266d1840b449d5bc2a0766c47a3de1b54dad8297e05eae4162e913647aba7932a387d3d07be5adb63d1534e4869acf05dc8048f8a53deab2d3ee8ffd5

C:\Users\Admin\AppData\Local\Temp\Challenged

MD5 95a29849fca591f7dd60ce737d9fad75
SHA1 0d09edf10128e174ca9010838a43247e3786ba4e
SHA256 39f4069d5c3c2b28246e2f6e69e664acb5243f7757e442850d3329952ae7f326
SHA512 d77cef8edac38a35865fe2ecf1376c06c78aac16cf41fba7528a2d74fddc05e15da056c64811cf2b1438b7f80845df68c9d836b634ba08993cb0c098a28f8a5d

C:\Users\Admin\AppData\Local\Temp\Bibliography

MD5 cbabde4bcb3d6b2a1a62629d3fae6942
SHA1 062f09fd85db0324294b901f9a6a4b1a207d46e8
SHA256 21c795715ecaee112b2ec8b468c9e36d82a5761bd1db83a768a4e3a079e74436
SHA512 78ec8cbcf7190c2f8c4753fb24d2b8c24452a84ecc0ea7c3db052a0165406a7f2326529d657c1d5deee8d5b3e9cd6640ce1ff17c1f095c7ca4295f6bce78e093

C:\Users\Admin\AppData\Local\Temp\Concert

MD5 40bd98de2c6eafc9393dea5648237efb
SHA1 f920b8feac96be36ee27fa187ccbaf5156bd8969
SHA256 3d233df3cf211e0450b712647115d57592e1995d74f49b088d8637d9ff3a69bd
SHA512 5dbf588088a34181025c5e5b6e3ccc334945afdaf314cc7fdb987d6dbb9d8df32a8b2946e308db06380c28549001f5c4711314ed923b799ee23f8b03e1f0047d

C:\Users\Admin\AppData\Local\Temp\Route

MD5 8494c7d9d337a740a2b78b91d6a25741
SHA1 95623c0ae4cda059b11cff25ea05324c4dc9ca7d
SHA256 ea9412f6c61023fb5c602b3d391b986314e82bfe230799cb1e9dafec82b017f2
SHA512 b3114e01491bfd532987af246480e1fade226d42ac7d4eca07be2d8bdac2d2cddb97f1cc3a0b555870eef289d55e2b06b7cdbee830c99aa1d1e87d15fc160577

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 62691926c398272b060aca24576fa46a
SHA1 8bf7fb2b2df52820ee9ef46790e70ca3b4945add
SHA256 d64ac5e82cc80deeb291837b9ec7307e97df901e3b2783b621f8731661ece7c1
SHA512 664ea85293f05c7ac31453b2db6b3caeec86a8166e0fee99ae64e6ceb7ae965a354fb1d8152bca538e9faa36e6fc7985468c2aa933b6a07ff940abe628fd0047

C:\Users\Admin\AppData\Local\Temp\Registered

MD5 df64d534153e3209f9205105677a7926
SHA1 78a92c5660604a1806cff15b390928a60bc665a2
SHA256 51eca6abe087a2a57c464a9a8394042c9ecacbb2024548115d7cd88d508ba590
SHA512 4e2c4ca1a7af60cd262f05379b557336c25a31fa1935f0714fe157c9be1eee30f3f4dc5500ae11a62446c99b91d0952018007c8a11bf989cd91144a2af200eda

C:\Users\Admin\AppData\Local\Temp\Will

MD5 1a91d5a1c1770b7f0f9cfce2e2e033c3
SHA1 9bab62fa38126f91be59f6bc42b18c7d2797abc2
SHA256 922d45343ad6f1f252dd80ed96f4cf108eb3474297660723f5484a9559b972d5
SHA512 4112c6502253b596c7682c22d672f838734cdc70eaaef8db8db6b626afa95bb55cb1994b3fbf358f75cfbbcb7fd6008c7c409823ebdf1070613fc36b3154c557

C:\Users\Admin\AppData\Local\Temp\Cubic

MD5 34a6728cd9f73abf7a91f66252cf0829
SHA1 5f3981da11a0a41edcbb12ae229f3dcfccc6f82c
SHA256 5dc5defaaf7243c0d4c7ba9a42a5063bcb19630547d78fe35b6f0beb294fba43
SHA512 4ac2222c36897e274b08863ff851da23624057dcf1203ba44ff4a3f4ef52b6584109d41615ba22ea90c92625be85101d107c59b646e6c055d480fa7b15f3ebdf

C:\Users\Admin\AppData\Local\Temp\Charleston

MD5 ecdf78d1f969073a83acb1e32ba80a05
SHA1 e547ae72ce76d015dd5f2b41eecda246eae3720c
SHA256 57b89a83b3cd83f11c605c7f88aec537c80c4ab61adfcbeff16dd86c9eb7a4a1
SHA512 53945b216fc46d2c5d894deb75c746f32e16de389403263c40a368ad323dcdec740259dcb88a3da0cd9f4a12dfa0a287bcf4192df6bcb74b6fdebbc3e420557d

C:\Users\Admin\AppData\Local\Temp\Turn

MD5 8bc214a5383ab3532a20b52ac5624501
SHA1 4d0e206963a38de8c54785847bd935218729f296
SHA256 d14bfd7106113d5f4c7401560536966fa39d03e8528f91f9f4aa4eef6002a6e0
SHA512 0d9a241c9a3a82da69421aad0d57768477d5e9af97fcfca333ccbc5eb173de8f2ff23d66d224bd6e55d37f6ea5a978b2e2b7ecf18eb5d5f802d331838c417445

C:\Users\Admin\AppData\Local\Temp\Infection

MD5 bfa650e559e2a6c7ed47bfccf27d4cbb
SHA1 869f87feb559cfa55d28dc75f9cd01a458774cec
SHA256 681913fd22b098d29c0842c283ca8f6a988b9f2bae069ade92fd1029e3eb67af
SHA512 1546d95ac3ebaeb0b97829613bb5aa9a10b136c7f5cdaea66fff23103cb81e20a23732286eb904286ea8eab059cd39f7f3df0d48499c87edd922d30f028fa1b9

C:\Users\Admin\AppData\Local\Temp\Wool

MD5 e17b22ee13a0359fcc5e72e312177b73
SHA1 f1f7482a1674ff2b35f4dc75861dde4d6560ccb5
SHA256 64901eb827998aac6a12e3bd2d3300a70a4d0f29b94376ae4d75636439fee68a
SHA512 79139993513404c4778bb94cfc396fde84b7e6287c583dd0e382492ebacdc93b479f3b89d4e47f6232e5586fb8c53600ddefce5a496bc5841c093861cb619b48

C:\Users\Admin\AppData\Local\Temp\Wanted

MD5 2bc8cd3cd9520b534f5c7a2b29d43476
SHA1 8d19c65db42fbf5432942af24176ec0428eb03dd
SHA256 80bbff7a902b16bc54ac5b0f26ed075db840eb4571475e3d00413cae9411c577
SHA512 e1a118059965b9c656951d821cd70ec3918874622e6f3ea826458560c3b61f237dba415bbee8ab0ec4462363f82fcb0e3cf5130d08ff378c978581c020707c38

C:\Users\Admin\AppData\Local\Temp\Astrology

MD5 8ce87c92b9692122e0869a296721f672
SHA1 8bf412633ba9798702dea6c3c56e0f219d75f112
SHA256 644555f4f0033186a17f7d17ff73c6ec975bff3b813bb3d74b361bfe4c8b04a1
SHA512 b338149a839c9127489d92e730d9f54952dbdb7a829615fc32d73fc911587b5cad69e065b5591b421bdf2d21435ef544e9a3725605445c1e9f9e9b982ff2911d

C:\Users\Admin\AppData\Local\Temp\Almost

MD5 83cf5ee2c502f847da364a9e6a4245df
SHA1 8fc51be5da0a57ef671ddf65bf5b0db444a135b9
SHA256 70b6ddd36d12f64f1723d94e719008c3762fa4797ac58a3362262358afae2b8f
SHA512 d9d832027621a5f5b91669049e2ea1ee401fe31a085b8ff45b768c7726e1ca9487369dc37fe57db1ba5b69f0254d71d6f0a3c209365149f0f0ee75c12a4bb60f

C:\Users\Admin\AppData\Local\Temp\Definition

MD5 0255c33cd5087c24e5b4f0d82abae604
SHA1 24dfb98593e9d464a2c86b95e8e11eb1a1f484d1
SHA256 bd348952df9ac0d78ab3899d86c4579880dc73bc1f974a50ee7e28d4d6b4bc95
SHA512 cb3ba0c2174b7340fc2b5953e49c305aa5c0e86e98cd9558b1881b2058dd736ed05c88563464c19b7c43435dafc6b61a92dd102b9ceffeb2f18473837046bedd

C:\Users\Admin\AppData\Local\Temp\Keywords

MD5 902bb2bacc6ea96547fc1383a019761f
SHA1 b712a36338a7e37d936489db47844657e3d531af
SHA256 fe6902823271c9b7f67f2a27f2c991d2df3d182fb1248e43f11240a9fcaba5b5
SHA512 f4808b3c921346b5a05d3f58405a5ade3f95c16a850d3c40dba4701abbeff7b2a11b48bc73767ad902ffdc3c703f3151d01a38222528b1c11b71769111087a2a

C:\Users\Admin\AppData\Local\Temp\Wallpapers

MD5 702274c76f1e8b5e3cf6eb9a64bd7040
SHA1 7ada91befe55505e32d2bb64c47e8b1725525cad
SHA256 38dbaf58a4f2799c6c3d30899c10a986831fdfd62e851366e3e5c86f39c6f149
SHA512 4cdedc1f3df3e8991866fcdf54e4ce406304123d7b9e1d520c5d26bbe19e410abc6a26c7c8dcc74e6f81a1dfa19d9f439534dbdee78e4d03baac7b1006c6cbfa

C:\Users\Admin\AppData\Local\Temp\Sixth

MD5 88023976d5464e26d23fa462ecf19a24
SHA1 60ce6c83b2ceb256afc7cf2b26d17ebcb77d9873
SHA256 ac4e502fc78df2396b5f0aadf7f85d947718bb0b0cfa9fc9a2e0f7ecc988bb9f
SHA512 0498cbf77e38e59678a718a4b5410656a42ee913671555e33289b4c4e48267a7d33942cd8f8402356a483eb6802161568dbe8c05043f660ee4cbcc09fac674d4

C:\Users\Admin\AppData\Local\Temp\Planets

MD5 8b8508d4de0fccf374111ddb5079207c
SHA1 e358b9489aac68dc51097d7680b5df2542dda3d9
SHA256 9a015192846b800842efb60f057dad497f82b02f6eacdf225fdd495691f3f4b1
SHA512 26e1d6452334d0feb2f238f4d10cabcbaa8e725b1121efd79bf57c53e72cb3fc2dd4053aaabd26ee0c3ec1c0b7c1a501d64f90675aff7e88defcc28ac6688bfe

C:\Users\Admin\AppData\Local\Temp\Harley

MD5 7d022467103662db65311c796de33eb7
SHA1 c8b52feeaaf322b16238787f7837da1b4be95118
SHA256 460027620738825de7d916af202db9a9fbe34459677a1a78948c4aa5637c1100
SHA512 de8e452fbbab7161dc6690c971f068daad285cbe4abb54a3549b833453d2eb65d88134a69f4cc591b2e429ba017df531155ce2497579ae77cc6644c43d8e1b32

C:\Users\Admin\AppData\Local\Temp\Degrees

MD5 27b98647e42753e5bb64e27e42c36a0b
SHA1 5ffc231a7584a649c068950cfe13649391364fb5
SHA256 58debf161c133850577d18bcc77edc5098239e98571ad0afda468f23053040b6
SHA512 d4f691f339a04013b6d2625bffe1da218f7525de4b53f2f933c5dc554279e0a79f2838184646ec43d87b5a6824f0854400c06461ffa3de15bf3fae53e79fa4d0

C:\Users\Admin\AppData\Local\Temp\Angels

MD5 a593d3200e5eb73c1d0cd6a8572d9820
SHA1 eaaa702a857179ba67d5d30010653b53c1bcae77
SHA256 f0511b85d40f8c1284cd2ffcf8bead0b534d23219a7969c7108b4788d3cc15bf
SHA512 d46de14dbf7a22aa9aa19a158d9e9e0d511361d34214a988bafdb490eb8a67a12e4f84195909aa51814f92ba7d4aa258cbdd17bf966f0671867b95d0c1cabc2b

C:\Users\Admin\AppData\Local\Temp\Register

MD5 fd13359962e436976f7446c817722953
SHA1 23b784d095acd9478c659fef3e5967d893029fef
SHA256 33a794a77a48e63314c8790c209b323054d8445278e3c0d44fea9b937f358dd7
SHA512 2851ae1bf5e0001980631df40e7f9abc98895280248be79a464c8aa4da0853690496125792b78449dcef73fb54e2dbe7169f8bea83d6f9b313444c978b4fb6f1

C:\Users\Admin\AppData\Local\Temp\Records

MD5 c4dbb9a4f3fcfa63357cfdeec29d5b93
SHA1 6a015af18e535919433bc696463423d541dbc8dc
SHA256 f4fe9b181d5b446e4958aac4e16bce91abe407d4ade45f2f6f9106f9cbf35012
SHA512 14b6e3a72ba3167ad34d016d8333079d4d06ea5df71b8ead777625bcdae43a91c459d89564144f4f36b9423958808b4622c5c3d7c379e98a6f0e535d04705089

C:\Users\Admin\AppData\Local\Temp\Engines

MD5 fbb3aa92f3bcd2440080205790ba1859
SHA1 dc993e62a41d0a3467ce270938fd9fe0c770f727
SHA256 9670b6af663b0b7cb7e1fd3a54a147b2d426f03b8f386b9185d83f511bf532ba
SHA512 4c78bd624df2976e6ece1eb80b40e33d43e2c6d9609f780cad8b9221dcc5c5de086ed2bf92f199fdfb4f5e30660e6eedd40ec855ae145dfea08f190a642a3469

C:\Users\Admin\AppData\Local\Temp\543333\Knowledgestorm.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\543333\f

MD5 0596c72d30b87d69ced68aaf078b4694
SHA1 17d2ddcdfd4e353f142c2de12b97ee92adc550a6
SHA256 f91f987168b45547a53ec31d8713ed139fd42f7cccd93b8fa356f32644046b47
SHA512 4fab9dc31b1e96b928bd139f11478ff4a6ad968bfb5c5aadf507cae9d92a801ab581031b83e36939aacf08b4b09a33497c449e9495100ab60ae7b14c232074b1

memory/3560-84-0x0000000000650000-0x0000000000830000-memory.dmp

memory/3560-85-0x0000000000650000-0x0000000000830000-memory.dmp

memory/3560-87-0x0000000000650000-0x0000000000830000-memory.dmp