Malware Analysis Report

2024-10-19 08:59

Sample ID 240830-jwh9ratdna
Target archi743.7z
SHA256 22c87c01fb31d7ae241eeaa7d560e3c063ba68bfdd519533927929a66f618c9c
Tags
discovery lumma redline stealc vidar 1f3c236c672ff2ffe017b396f834c66e default leva logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22c87c01fb31d7ae241eeaa7d560e3c063ba68bfdd519533927929a66f618c9c

Threat Level: Known bad

The file archi743.7z was found to be: Known bad.

Malicious Activity Summary

discovery lumma redline stealc vidar 1f3c236c672ff2ffe017b396f834c66e default leva logsdiller cloud (tg: @logsdillabot) credential_access evasion execution infostealer persistence spyware stealer

Detect Vidar Stealer

Stealc

Lumma Stealer, LummaC

RedLine payload

Vidar

RedLine

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Checks BIOS information in registry

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Power Settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 08:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 4516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win7-20240705-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win7-20240704-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\updateagent.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3228 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3228 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\updateagent.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\updateagent.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win7-20240708-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\TherebyJoke C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\BlahAdobe C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\AspResistance C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\OvenJa C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\MrnaMatches C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\VotingApps C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\FileApp.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileApp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminFCAFIJJJKE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminHIEHDAFHDH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2696 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2696 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2696 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2696 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2696 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2696 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2696 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 3040 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2624 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
PID 2624 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
PID 2624 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
PID 2624 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
PID 2624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
PID 2624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
PID 2624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
PID 2624 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
PID 2624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
PID 2624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
PID 2624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
PID 2624 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
PID 2624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
PID 2624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
PID 2624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
PID 2624 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
PID 2624 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe
PID 2624 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FileApp.exe

"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe

C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe

C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe

C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe

C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe

C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe

C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe

C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe

C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe

C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe

C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe

C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe

C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe

C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe

C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe

C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe

C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp" /SL5="$80196,3906928,54272,C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe

"C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe"

C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe

"C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 651690

C:\Windows\SysWOW64\findstr.exe

findstr /V "HampshireRangesScholarsPodcasts" Exhibit

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p

C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif

Sister.pif p

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIEHDAFHDH.exe"

C:\Users\AdminHIEHDAFHDH.exe

"C:\Users\AdminHIEHDAFHDH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAFIJJJKE.exe"

C:\Users\AdminFCAFIJJJKE.exe

"C:\Users\AdminFCAFIJJJKE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe

C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe

"C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe" -i

Network

Country Destination Domain Proto
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
US 185.143.223.148:80 185.143.223.148 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 240812161425945.tyr.zont16.com udp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:80 file-link-iota.vercel.app tcp
US 76.76.21.22:443 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240812161425945.tyr.zont16.com tcp
US 76.76.21.22:443 file-link-iota.vercel.app tcp
US 76.76.21.22:443 file-link-iota.vercel.app tcp
US 76.76.21.22:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
RU 185.215.113.100:80 185.215.113.100 tcp
DE 77.105.164.24:50505 tcp
US 8.8.8.8:53 kKUNXsFvNT.kKUNXsFvNT udp
CZ 46.8.231.109:80 46.8.231.109 tcp
FI 95.216.107.53:12311 tcp
FR 147.45.68.138:80 147.45.68.138 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 awwardwiqi.shop udp
US 104.21.21.143:443 awwardwiqi.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 104.21.58.213:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 traineiwnqo.shop udp
US 188.114.96.0:443 traineiwnqo.shop tcp
FR 147.45.68.138:80 147.45.68.138 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:443 pool.hashvault.pro tcp
DE 147.45.47.251:2149 tcp
DE 147.45.47.251:2149 tcp
DE 147.45.47.251:2149 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/2624-85-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-86-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-88-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-96-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-98-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-97-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-95-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-94-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-93-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-92-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-91-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-90-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-89-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-99-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-103-0x0000000000510000-0x00000000006F0000-memory.dmp

C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe

MD5 1e6220855c36eaef077681c9d4b088b2
SHA1 ef36b62281ef170d57606e80716430024ec3ca1a
SHA256 a3af35d1791abbf213f939d5c1923a628c32a05e7ebe8a70337272a1872126ce
SHA512 234bd1e3680f507d8fd46c1137084a06460110eb468aebe427d7b80ed30c9a14152a1b8369851b919a1974d2ac31b34d86f6b33eaa2a22f4df7b0c7472712eb1

C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe

MD5 abb713cf90e8345c0b6b79345cbdc9d6
SHA1 67e705d4070b58994f0b718005d5f07fef824192
SHA256 bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
SHA512 809b8c6aae46674c4c5fe24a98ae1fa065ab24d44c42e56b85946d7cc039f4139eb34e62daaf2ea1058180884a72c411d639c79eacc491e7fdb555a11b4dd524

C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe

MD5 7fee72ea1dd13c340355baa7fe9c574a
SHA1 27896f73eddc109bbc669b4b1054a60e0c87bbfc
SHA256 a5f93ede5291955fc129fa0dae4dc954fd3ca29d2d975de969dc563c0d10085e
SHA512 7b585fcc523e8c64847d1c70f744d4053d03a75c37f76e1264a6165af8a6e2e9cc73d2677de24e81c2c4ec665798e05dff5bc20c3956b7a2901798d090a0d381

C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe

MD5 70567fae269796bf407322d0a4435054
SHA1 e11eddf4f0ce6d5288d8187005d34eee6efba046
SHA256 5923793c30acf9026a872fcb8ce04a671fa194bb4f73eef165d687ae97683047
SHA512 8c52339e85b8827fa25c1fb64fa47ca6de25f40d6f66b5d426a276e93d10751537f03c41e144ca22a6c34d10a896ebd7a8070846984f783e293bf4b8b2a58617

C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe

MD5 41f0081493230e3b9c5661f1cdd31277
SHA1 d964dc5a4d051cd330268858bfb00dcaedfa0e36
SHA256 24dc2a3346b2434869f2f7a885e4681aadd75d53443bc1bbf3529ed5f6394e06
SHA512 7d9b155f1a9f166ed7e1b92b6b2ecd581db3aff8f67c3334620f42c2633fe5e31bbd8bee9524182f443fcddbd3365aea8f98789389fea8cea96885e3eacfe872

C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe

MD5 d4ac1a0d0504ab9a127defa511df833e
SHA1 9254864b6917eba6d4d4616ac2564f192626668b
SHA256 a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA512 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5

C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe

MD5 bd2891236510c953d469e346d092f0c7
SHA1 6409a3259b18ecf91d2ff6a43ff319c2f8158be2
SHA256 1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44
SHA512 409abb8ce3382297bb669e7b7edfa44b0c2166831a6212223237245cba0595cf35592ec9755c839a69372bd0a4e96c74b98e7bca375a82b3e0707658d4b5802d

C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

memory/2624-172-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-181-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-186-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-178-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-204-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-200-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2624-191-0x0000000005B20000-0x0000000006187000-memory.dmp

memory/2624-196-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2080-213-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2036-224-0x0000000000F10000-0x0000000001577000-memory.dmp

memory/2624-220-0x0000000005B20000-0x0000000006187000-memory.dmp

memory/804-236-0x0000000000C30000-0x0000000000C68000-memory.dmp

memory/904-233-0x0000000001020000-0x0000000001054000-memory.dmp

memory/1492-229-0x0000000000A30000-0x000000000107C000-memory.dmp

memory/1784-228-0x0000000001310000-0x0000000001602000-memory.dmp

memory/2624-210-0x0000000000510000-0x00000000006F0000-memory.dmp

memory/2688-265-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-283-0x0000000000400000-0x0000000000641000-memory.dmp

memory/904-264-0x0000000002460000-0x0000000004460000-memory.dmp

memory/2768-281-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-279-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-277-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-276-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-274-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-272-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-270-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-268-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2768-266-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1784-286-0x00000000051B0000-0x0000000005350000-memory.dmp

memory/1784-288-0x0000000005720000-0x00000000058BE000-memory.dmp

memory/1492-287-0x0000000004D50000-0x0000000004F42000-memory.dmp

memory/2036-290-0x0000000000F10000-0x0000000001577000-memory.dmp

memory/1784-292-0x0000000000580000-0x00000000005A2000-memory.dmp

memory/1800-297-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1800-295-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2208-321-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1800-293-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1492-291-0x0000000000980000-0x00000000009A2000-memory.dmp

memory/2688-263-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-262-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2688-260-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-258-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-256-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-254-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-252-0x0000000000400000-0x0000000000641000-memory.dmp

memory/2688-250-0x0000000000400000-0x0000000000641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFDF0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2412-416-0x0000000000D30000-0x0000000000D64000-memory.dmp

memory/2668-442-0x0000000000B30000-0x0000000000B84000-memory.dmp

C:\ProgramData\DHCGIDHDAKJE\JJKJDA

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/1540-534-0x00000000001D0000-0x0000000000222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp587D.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe

MD5 8741a9378c770659d5f68b769863cce4
SHA1 6c00377647ada9b3e4ee86dae86138f3d32a718e
SHA256 208a4118871768f61cd590d4e15e61c5f7b9cc40281efa769625f90d026bec5e
SHA512 1cb838ce0502fc7e42f8881c97f4574739630345d169576ed09afdcfdececb4b68a6ffd8d62c454792d74356e76689a2fdf91303d5f2de56832dc766d3995c60

memory/1684-587-0x0000000004C60000-0x0000000004F96000-memory.dmp

memory/2440-588-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1684-592-0x0000000004C60000-0x0000000004F96000-memory.dmp

memory/2440-595-0x0000000000400000-0x0000000000736000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mi\tmp\cmiaisupport.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4208 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4208 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mi\tmp\cmiaisupport.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\mi\tmp\cmiaisupport.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1388 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win7-20240729-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\CbsCore.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\CbsCore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\CbsCore.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FileApp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2864 set thread context of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\FileApp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileApp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\FileApp.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 920 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 2064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 920 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 920 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 920 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 920 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 920 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2864 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2864 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2864 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2864 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2864 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Processes

C:\Users\Admin\AppData\Local\Temp\FileApp.exe

"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 185.143.223.148:80 185.143.223.148 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 148.223.143.185.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/4312-82-0x0000000000A00000-0x0000000000BE0000-memory.dmp

memory/4312-83-0x0000000000A00000-0x0000000000BE0000-memory.dmp

memory/4312-85-0x0000000000A00000-0x0000000000BE0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:05

Platform

win7-20240704-en

Max time kernel

117s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-30 08:01

Reported

2024-08-30 08:04

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\wcp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 3152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\wcp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\wcp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3152 -ip 3152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A