Analysis Overview
SHA256
22c87c01fb31d7ae241eeaa7d560e3c063ba68bfdd519533927929a66f618c9c
Threat Level: Known bad
The file archi743.7z was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Stealc
Lumma Stealer, LummaC
RedLine payload
Vidar
RedLine
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Creates new service(s)
Downloads MZ/PE file
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Checks BIOS information in registry
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Executes dropped EXE
Identifies Wine through registry keys
Adds Run key to start application
Power Settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-30 08:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 4516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win7-20240705-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 2336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1576 wrote to memory of 2336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1576 wrote to memory of 2336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\libglib-2.0-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win7-20240704-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\meshsystem.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3228 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3228 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3228 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\updateagent.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\updateagent.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win7-20240708-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\TherebyJoke | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\BlahAdobe | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\AspResistance | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\OvenJa | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\MrnaMatches | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\VotingApps | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| File opened for modification | C:\Windows\ResourcesBrake | C:\Users\Admin\AppData\Local\Temp\FileApp.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FileApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminFCAFIJJJKE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminHIEHDAFHDH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FileApp.exe
"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 301998
C:\Windows\SysWOW64\findstr.exe
findstr /V "HazardousJimmyLiableHowever" Italic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
Quantities.pif B
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe
C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe
C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe
C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe
C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe
C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe
C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe
C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe
C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LIM4C.tmp\K3JZx_5WpyCHu49wnI36yLHl.tmp" /SL5="$80196,3906928,54272,C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
"C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe"
C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe
"C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651690
C:\Windows\SysWOW64\findstr.exe
findstr /V "HampshireRangesScholarsPodcasts" Exhibit
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
Sister.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIEHDAFHDH.exe"
C:\Users\AdminHIEHDAFHDH.exe
"C:\Users\AdminHIEHDAFHDH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAFIJJJKE.exe"
C:\Users\AdminFCAFIJJJKE.exe
"C:\Users\AdminFCAFIJJJKE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe
"C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe" -i
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC | udp |
| US | 185.143.223.148:80 | 185.143.223.148 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 8.8.8.8:53 | 240812161425945.tyr.zont16.com | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:443 | file-link-iota.vercel.app | tcp |
| CH | 179.43.188.227:80 | 240812161425945.tyr.zont16.com | tcp |
| US | 76.76.21.22:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.22:443 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| US | 8.8.8.8:53 | kKUNXsFvNT.kKUNXsFvNT | udp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | awwardwiqi.shop | udp |
| US | 104.21.21.143:443 | awwardwiqi.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 104.21.58.213:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 188.114.96.0:443 | traineiwnqo.shop | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Least
| MD5 | 27ae911f596e4ff92e29f972adf0e0b9 |
| SHA1 | d01b96e291a76541cde9eff35c978e18f40c41c5 |
| SHA256 | c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e |
| SHA512 | 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6 |
C:\Users\Admin\AppData\Local\Temp\Italic
| MD5 | 28223818ad5996d2af9084c5d6417555 |
| SHA1 | 0d60f098499444a4ad9d6ed5bfccf493f98233a1 |
| SHA256 | e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562 |
| SHA512 | 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd |
C:\Users\Admin\AppData\Local\Temp\If
| MD5 | f46f96d88296c0f254a435da379fda59 |
| SHA1 | a62c442c43a152958e98f921f9cf84b238e0db39 |
| SHA256 | 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef |
| SHA512 | 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7 |
C:\Users\Admin\AppData\Local\Temp\Draw
| MD5 | 45b8bf23975a16a5f1d543a1d6113712 |
| SHA1 | 23005543f09c26211d1a5025b25ecb064e11cda2 |
| SHA256 | 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a |
| SHA512 | 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4 |
C:\Users\Admin\AppData\Local\Temp\Cherry
| MD5 | 461c27a459b970f2b6e8a0c4d804d08b |
| SHA1 | 2667edbf37e403e0b8ef91853f939b439c71ca47 |
| SHA256 | 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252 |
| SHA512 | 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770 |
C:\Users\Admin\AppData\Local\Temp\X
| MD5 | 42f1f4f3dcc546c4d2ffd6fc34ae0d59 |
| SHA1 | 72089da6297e2559aee066beeef041d77c995605 |
| SHA256 | 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43 |
| SHA512 | 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3 |
C:\Users\Admin\AppData\Local\Temp\Polyphonic
| MD5 | 487876f6d1b96fd922a958c48d48a830 |
| SHA1 | b3bab66966fdf53f51a10304145b84dce7f29429 |
| SHA256 | 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e |
| SHA512 | 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4 |
C:\Users\Admin\AppData\Local\Temp\Hills
| MD5 | 0515a4a5459d9d6bc894757b4dfa7caa |
| SHA1 | e942627a02f5e0ded90a200ee1e241633b492418 |
| SHA256 | e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b |
| SHA512 | f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539 |
C:\Users\Admin\AppData\Local\Temp\Gnu
| MD5 | 2caf2ad60def740a225604bbff7be58d |
| SHA1 | b7883efafdcd1d172c50676d0cdcae4cdd0a81d0 |
| SHA256 | d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb |
| SHA512 | 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f |
C:\Users\Admin\AppData\Local\Temp\Key
| MD5 | 5b550dc8c634b092a3b92c134e0814a2 |
| SHA1 | 7d7378be716a5cbd1c48ed7ae4accefd46e78260 |
| SHA256 | b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34 |
| SHA512 | 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5 |
C:\Users\Admin\AppData\Local\Temp\Detect
| MD5 | 288a651ff72fe49bd01f767d0953f592 |
| SHA1 | 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b |
| SHA256 | 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f |
| SHA512 | 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8 |
C:\Users\Admin\AppData\Local\Temp\Ur
| MD5 | c09313c5cb9b0bbb55925207a89663ce |
| SHA1 | 3523b3a68c85f908c6ffa3f45315168d88ac7b92 |
| SHA256 | 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229 |
| SHA512 | 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416 |
C:\Users\Admin\AppData\Local\Temp\Planet
| MD5 | b5b4f986168680189f25497ec3c96cac |
| SHA1 | aab716d4d4cc1ff40a4497bfa68388c0a087a2d2 |
| SHA256 | 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a |
| SHA512 | 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8 |
C:\Users\Admin\AppData\Local\Temp\Bed
| MD5 | 27f0060738094e127687300ae907902c |
| SHA1 | 997fa44fcb9f34238009d9f0707bbf001b23c5c1 |
| SHA256 | 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de |
| SHA512 | 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa |
C:\Users\Admin\AppData\Local\Temp\Davidson
| MD5 | 6a3b014f3d3b9431c07cd04fdcb24fc7 |
| SHA1 | 37e6e1204cf556c95129dad3cc95f0ed44c44f8c |
| SHA256 | 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52 |
| SHA512 | fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941 |
C:\Users\Admin\AppData\Local\Temp\Ring
| MD5 | bad9266e83c5a8cbb891480043544b3f |
| SHA1 | 11be22646fc01779949e01c1e35bf6894b043967 |
| SHA256 | 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2 |
| SHA512 | 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b |
C:\Users\Admin\AppData\Local\Temp\Makers
| MD5 | 77a924a4b154bba5d0581e424e700425 |
| SHA1 | 38131e21bb10bf257252d2d0dc7a7d66456de193 |
| SHA256 | 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021 |
| SHA512 | 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d |
C:\Users\Admin\AppData\Local\Temp\Pest
| MD5 | 575d7d44665232ecd37b6d552b8594bb |
| SHA1 | 8791cf94559ae076c5ae7461d88cd32220fd5170 |
| SHA256 | da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7 |
| SHA512 | a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66 |
C:\Users\Admin\AppData\Local\Temp\Divx
| MD5 | 109ea3b3fcc30a657196811b0b8bb8e5 |
| SHA1 | 81d9b6d46cf56625047f4ea98901e590042a639c |
| SHA256 | 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe |
| SHA512 | 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44 |
C:\Users\Admin\AppData\Local\Temp\Wheel
| MD5 | 9b2a8a04d727774a059123853431da52 |
| SHA1 | 044243e59523da7f69883cacbe70b7d7e46680af |
| SHA256 | 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34 |
| SHA512 | 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41 |
C:\Users\Admin\AppData\Local\Temp\Compliant
| MD5 | ce199702c46497d8573fff4d78e606a2 |
| SHA1 | 4149d73fe6c348f3dd216accb03b421bf89746f9 |
| SHA256 | 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141 |
| SHA512 | cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8 |
C:\Users\Admin\AppData\Local\Temp\Enclosure
| MD5 | bbac00d76756f7e775caa2e7673bee76 |
| SHA1 | 0a90c5032342eaaf8f71561ef08e481a48ac97d8 |
| SHA256 | bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e |
| SHA512 | 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341 |
C:\Users\Admin\AppData\Local\Temp\Character
| MD5 | 0a1ef968221e799d9e7d3c5b12d9b9b1 |
| SHA1 | bd9dcc813c6d765351db4b4ba701d71825a2f5ef |
| SHA256 | ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d |
| SHA512 | a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24 |
C:\Users\Admin\AppData\Local\Temp\Multiple
| MD5 | 0a08672b60c9b7bd5aed7985bfb194a6 |
| SHA1 | c3d2799f59e12976262fbdd782e9d6083bc004b2 |
| SHA256 | 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7 |
| SHA512 | cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa |
C:\Users\Admin\AppData\Local\Temp\Square
| MD5 | 6429d982b44da0c5e510074891c84d05 |
| SHA1 | e7e7d5376c981b57804db2046ab1e589b5b1e20d |
| SHA256 | 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01 |
| SHA512 | 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267 |
C:\Users\Admin\AppData\Local\Temp\Personnel
| MD5 | 59b719c0307872b1da8a8eb6498d04fe |
| SHA1 | cd66a30e1ab756972af8db9da3a79ffd24cb73f0 |
| SHA256 | 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6 |
| SHA512 | b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd |
C:\Users\Admin\AppData\Local\Temp\Diane
| MD5 | 37a4a09d5a64e8ace90d57aee1c9a5ad |
| SHA1 | 56dd4fa0e929c9186cfa005ada20c395c017d92f |
| SHA256 | 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44 |
| SHA512 | d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65 |
C:\Users\Admin\AppData\Local\Temp\Yield
| MD5 | 9a8c4882c63e83dea3414ce89bffd3e0 |
| SHA1 | 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81 |
| SHA256 | 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6 |
| SHA512 | 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e |
C:\Users\Admin\AppData\Local\Temp\Oxford
| MD5 | 3d7c41e63345ab502ff6d0024125c72c |
| SHA1 | 482d14af919dd112882720b31dede0d2bb9d6fc9 |
| SHA256 | 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c |
| SHA512 | f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125 |
C:\Users\Admin\AppData\Local\Temp\Assess
| MD5 | 56c7199ed2cebda70cb95b6250ff2026 |
| SHA1 | b677160ff55e8516d8e82f98b4fef2a6f9427521 |
| SHA256 | f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af |
| SHA512 | 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982 |
C:\Users\Admin\AppData\Local\Temp\Law
| MD5 | 8b8d133bbbcda6868db32b7322bded98 |
| SHA1 | 13cb7f0dc27fba999eafd358cc1ce8c741055ede |
| SHA256 | 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2 |
| SHA512 | f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935 |
C:\Users\Admin\AppData\Local\Temp\Facilities
| MD5 | e2fb39632419ec4af6b00159c7e9ea3d |
| SHA1 | 569f27f26870bf3b5c8dbabd61e5af08a66fb37e |
| SHA256 | 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6 |
| SHA512 | 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9 |
C:\Users\Admin\AppData\Local\Temp\Dry
| MD5 | ac97bdfbbc2cd99efb112947efc095e3 |
| SHA1 | d1c13589219246e0fb41b1d0320d0ddd881ee32d |
| SHA256 | 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d |
| SHA512 | 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4 |
C:\Users\Admin\AppData\Local\Temp\Ethnic
| MD5 | bfafcd4f6f1a7cab7e6587ce30a9ac26 |
| SHA1 | 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4 |
| SHA256 | f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7 |
| SHA512 | 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47 |
C:\Users\Admin\AppData\Local\Temp\Ton
| MD5 | 08d5879bcf6e0fc11a3975c848c84ec6 |
| SHA1 | 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12 |
| SHA256 | 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468 |
| SHA512 | 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb |
C:\Users\Admin\AppData\Local\Temp\Leone
| MD5 | 4ef39b19f1f3377c48213ee58430aba3 |
| SHA1 | c0f8f8ca22791a892006e305318bbdad72ec5516 |
| SHA256 | d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966 |
| SHA512 | 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61 |
C:\Users\Admin\AppData\Local\Temp\Threads
| MD5 | 467cee0e396bf3375b0d41c42bf83463 |
| SHA1 | 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de |
| SHA256 | d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975 |
| SHA512 | 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a |
\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\301998\B
| MD5 | d4850f35ef5d00d52ac27c403b4483b8 |
| SHA1 | be17e7dbcae50cade2ce2e662ceea543608ae888 |
| SHA256 | 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493 |
| SHA512 | e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec |
memory/2624-85-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-86-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-88-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-96-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-98-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-97-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-95-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-94-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-93-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-92-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-91-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-90-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-89-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-99-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-103-0x0000000000510000-0x00000000006F0000-memory.dmp
C:\Users\Admin\Documents\iofolko5\Ev_4OUPfiuS_MOTWLjctVIgZ.exe
| MD5 | 1e6220855c36eaef077681c9d4b088b2 |
| SHA1 | ef36b62281ef170d57606e80716430024ec3ca1a |
| SHA256 | a3af35d1791abbf213f939d5c1923a628c32a05e7ebe8a70337272a1872126ce |
| SHA512 | 234bd1e3680f507d8fd46c1137084a06460110eb468aebe427d7b80ed30c9a14152a1b8369851b919a1974d2ac31b34d86f6b33eaa2a22f4df7b0c7472712eb1 |
C:\Users\Admin\Documents\iofolko5\S_CThQAZfMW0S0SlhYqnMZvF.exe
| MD5 | abb713cf90e8345c0b6b79345cbdc9d6 |
| SHA1 | 67e705d4070b58994f0b718005d5f07fef824192 |
| SHA256 | bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295 |
| SHA512 | 809b8c6aae46674c4c5fe24a98ae1fa065ab24d44c42e56b85946d7cc039f4139eb34e62daaf2ea1058180884a72c411d639c79eacc491e7fdb555a11b4dd524 |
C:\Users\Admin\Documents\iofolko5\ho_9JcJwKvFzsoIYqn1rN42e.exe
| MD5 | 7fee72ea1dd13c340355baa7fe9c574a |
| SHA1 | 27896f73eddc109bbc669b4b1054a60e0c87bbfc |
| SHA256 | a5f93ede5291955fc129fa0dae4dc954fd3ca29d2d975de969dc563c0d10085e |
| SHA512 | 7b585fcc523e8c64847d1c70f744d4053d03a75c37f76e1264a6165af8a6e2e9cc73d2677de24e81c2c4ec665798e05dff5bc20c3956b7a2901798d090a0d381 |
C:\Users\Admin\Documents\iofolko5\oqzrsXXlpiWrgtl9r49uGaou.exe
| MD5 | 70567fae269796bf407322d0a4435054 |
| SHA1 | e11eddf4f0ce6d5288d8187005d34eee6efba046 |
| SHA256 | 5923793c30acf9026a872fcb8ce04a671fa194bb4f73eef165d687ae97683047 |
| SHA512 | 8c52339e85b8827fa25c1fb64fa47ca6de25f40d6f66b5d426a276e93d10751537f03c41e144ca22a6c34d10a896ebd7a8070846984f783e293bf4b8b2a58617 |
C:\Users\Admin\Documents\iofolko5\K3JZx_5WpyCHu49wnI36yLHl.exe
| MD5 | 41f0081493230e3b9c5661f1cdd31277 |
| SHA1 | d964dc5a4d051cd330268858bfb00dcaedfa0e36 |
| SHA256 | 24dc2a3346b2434869f2f7a885e4681aadd75d53443bc1bbf3529ed5f6394e06 |
| SHA512 | 7d9b155f1a9f166ed7e1b92b6b2ecd581db3aff8f67c3334620f42c2633fe5e31bbd8bee9524182f443fcddbd3365aea8f98789389fea8cea96885e3eacfe872 |
C:\Users\Admin\Documents\iofolko5\qG1copygK7SPOHGlPij_Zxcu.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
C:\Users\Admin\Documents\iofolko5\odPTLgjIrw_Gx4xBI8atLIp3.exe
| MD5 | bd2891236510c953d469e346d092f0c7 |
| SHA1 | 6409a3259b18ecf91d2ff6a43ff319c2f8158be2 |
| SHA256 | 1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44 |
| SHA512 | 409abb8ce3382297bb669e7b7edfa44b0c2166831a6212223237245cba0595cf35592ec9755c839a69372bd0a4e96c74b98e7bca375a82b3e0707658d4b5802d |
C:\Users\Admin\Documents\iofolko5\ZAVhExYAXKkUE7W2P_JwfAxu.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
memory/2624-172-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-181-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-186-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-178-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-204-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-200-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2624-191-0x0000000005B20000-0x0000000006187000-memory.dmp
memory/2624-196-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2080-213-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2036-224-0x0000000000F10000-0x0000000001577000-memory.dmp
memory/2624-220-0x0000000005B20000-0x0000000006187000-memory.dmp
memory/804-236-0x0000000000C30000-0x0000000000C68000-memory.dmp
memory/904-233-0x0000000001020000-0x0000000001054000-memory.dmp
memory/1492-229-0x0000000000A30000-0x000000000107C000-memory.dmp
memory/1784-228-0x0000000001310000-0x0000000001602000-memory.dmp
memory/2624-210-0x0000000000510000-0x00000000006F0000-memory.dmp
memory/2688-265-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-283-0x0000000000400000-0x0000000000641000-memory.dmp
memory/904-264-0x0000000002460000-0x0000000004460000-memory.dmp
memory/2768-281-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-279-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-277-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-276-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2768-274-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-272-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-270-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-268-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2768-266-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1784-286-0x00000000051B0000-0x0000000005350000-memory.dmp
memory/1784-288-0x0000000005720000-0x00000000058BE000-memory.dmp
memory/1492-287-0x0000000004D50000-0x0000000004F42000-memory.dmp
memory/2036-290-0x0000000000F10000-0x0000000001577000-memory.dmp
memory/1784-292-0x0000000000580000-0x00000000005A2000-memory.dmp
memory/1800-297-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1800-295-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2208-321-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1800-293-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1492-291-0x0000000000980000-0x00000000009A2000-memory.dmp
memory/2688-263-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-262-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2688-260-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-258-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-256-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-254-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-252-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2688-250-0x0000000000400000-0x0000000000641000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFDF0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2412-416-0x0000000000D30000-0x0000000000D64000-memory.dmp
memory/2668-442-0x0000000000B30000-0x0000000000B84000-memory.dmp
C:\ProgramData\DHCGIDHDAKJE\JJKJDA
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
memory/1540-534-0x00000000001D0000-0x0000000000222000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp587D.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\ZMedia Recode\zmediarecode.exe
| MD5 | 8741a9378c770659d5f68b769863cce4 |
| SHA1 | 6c00377647ada9b3e4ee86dae86138f3d32a718e |
| SHA256 | 208a4118871768f61cd590d4e15e61c5f7b9cc40281efa769625f90d026bec5e |
| SHA512 | 1cb838ce0502fc7e42f8881c97f4574739630345d169576ed09afdcfdececb4b68a6ffd8d62c454792d74356e76689a2fdf91303d5f2de56832dc766d3995c60 |
memory/1684-587-0x0000000004C60000-0x0000000004F96000-memory.dmp
memory/2440-588-0x0000000000400000-0x0000000000736000-memory.dmp
memory/1684-592-0x0000000004C60000-0x0000000004F96000-memory.dmp
memory/2440-595-0x0000000000400000-0x0000000000736000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 2732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4208 wrote to memory of 2732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4208 wrote to memory of 2732 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mi\tmp\cmiaisupport.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\mi\tmp\cmiaisupport.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1388 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win7-20240729-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 220
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2256 wrote to memory of 4252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2256 wrote to memory of 4252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2256 wrote to memory of 4252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\mscordacwks.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4940 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4940 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4940 wrote to memory of 740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\CbsCore.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\CbsCore.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FileApp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2864 set thread context of 4312 | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ResourcesBrake | C:\Users\Admin\AppData\Local\Temp\FileApp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FileApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FileApp.exe
"C:\Users\Admin\AppData\Local\Temp\FileApp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 301998
C:\Windows\SysWOW64\findstr.exe
findstr /V "HazardousJimmyLiableHowever" Italic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
Quantities.pif B
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.143.223.148:80 | 185.143.223.148 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | 148.223.143.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Least
| MD5 | 27ae911f596e4ff92e29f972adf0e0b9 |
| SHA1 | d01b96e291a76541cde9eff35c978e18f40c41c5 |
| SHA256 | c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e |
| SHA512 | 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6 |
C:\Users\Admin\AppData\Local\Temp\Italic
| MD5 | 28223818ad5996d2af9084c5d6417555 |
| SHA1 | 0d60f098499444a4ad9d6ed5bfccf493f98233a1 |
| SHA256 | e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562 |
| SHA512 | 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd |
C:\Users\Admin\AppData\Local\Temp\If
| MD5 | f46f96d88296c0f254a435da379fda59 |
| SHA1 | a62c442c43a152958e98f921f9cf84b238e0db39 |
| SHA256 | 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef |
| SHA512 | 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7 |
C:\Users\Admin\AppData\Local\Temp\Draw
| MD5 | 45b8bf23975a16a5f1d543a1d6113712 |
| SHA1 | 23005543f09c26211d1a5025b25ecb064e11cda2 |
| SHA256 | 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a |
| SHA512 | 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4 |
C:\Users\Admin\AppData\Local\Temp\Cherry
| MD5 | 461c27a459b970f2b6e8a0c4d804d08b |
| SHA1 | 2667edbf37e403e0b8ef91853f939b439c71ca47 |
| SHA256 | 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252 |
| SHA512 | 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770 |
C:\Users\Admin\AppData\Local\Temp\X
| MD5 | 42f1f4f3dcc546c4d2ffd6fc34ae0d59 |
| SHA1 | 72089da6297e2559aee066beeef041d77c995605 |
| SHA256 | 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43 |
| SHA512 | 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3 |
C:\Users\Admin\AppData\Local\Temp\Polyphonic
| MD5 | 487876f6d1b96fd922a958c48d48a830 |
| SHA1 | b3bab66966fdf53f51a10304145b84dce7f29429 |
| SHA256 | 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e |
| SHA512 | 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4 |
C:\Users\Admin\AppData\Local\Temp\Hills
| MD5 | 0515a4a5459d9d6bc894757b4dfa7caa |
| SHA1 | e942627a02f5e0ded90a200ee1e241633b492418 |
| SHA256 | e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b |
| SHA512 | f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539 |
C:\Users\Admin\AppData\Local\Temp\Gnu
| MD5 | 2caf2ad60def740a225604bbff7be58d |
| SHA1 | b7883efafdcd1d172c50676d0cdcae4cdd0a81d0 |
| SHA256 | d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb |
| SHA512 | 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f |
C:\Users\Admin\AppData\Local\Temp\Key
| MD5 | 5b550dc8c634b092a3b92c134e0814a2 |
| SHA1 | 7d7378be716a5cbd1c48ed7ae4accefd46e78260 |
| SHA256 | b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34 |
| SHA512 | 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5 |
C:\Users\Admin\AppData\Local\Temp\Detect
| MD5 | 288a651ff72fe49bd01f767d0953f592 |
| SHA1 | 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b |
| SHA256 | 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f |
| SHA512 | 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8 |
C:\Users\Admin\AppData\Local\Temp\Ur
| MD5 | c09313c5cb9b0bbb55925207a89663ce |
| SHA1 | 3523b3a68c85f908c6ffa3f45315168d88ac7b92 |
| SHA256 | 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229 |
| SHA512 | 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416 |
C:\Users\Admin\AppData\Local\Temp\Planet
| MD5 | b5b4f986168680189f25497ec3c96cac |
| SHA1 | aab716d4d4cc1ff40a4497bfa68388c0a087a2d2 |
| SHA256 | 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a |
| SHA512 | 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8 |
C:\Users\Admin\AppData\Local\Temp\Bed
| MD5 | 27f0060738094e127687300ae907902c |
| SHA1 | 997fa44fcb9f34238009d9f0707bbf001b23c5c1 |
| SHA256 | 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de |
| SHA512 | 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa |
C:\Users\Admin\AppData\Local\Temp\Davidson
| MD5 | 6a3b014f3d3b9431c07cd04fdcb24fc7 |
| SHA1 | 37e6e1204cf556c95129dad3cc95f0ed44c44f8c |
| SHA256 | 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52 |
| SHA512 | fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941 |
C:\Users\Admin\AppData\Local\Temp\Ring
| MD5 | bad9266e83c5a8cbb891480043544b3f |
| SHA1 | 11be22646fc01779949e01c1e35bf6894b043967 |
| SHA256 | 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2 |
| SHA512 | 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b |
C:\Users\Admin\AppData\Local\Temp\Makers
| MD5 | 77a924a4b154bba5d0581e424e700425 |
| SHA1 | 38131e21bb10bf257252d2d0dc7a7d66456de193 |
| SHA256 | 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021 |
| SHA512 | 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d |
C:\Users\Admin\AppData\Local\Temp\Pest
| MD5 | 575d7d44665232ecd37b6d552b8594bb |
| SHA1 | 8791cf94559ae076c5ae7461d88cd32220fd5170 |
| SHA256 | da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7 |
| SHA512 | a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66 |
C:\Users\Admin\AppData\Local\Temp\Divx
| MD5 | 109ea3b3fcc30a657196811b0b8bb8e5 |
| SHA1 | 81d9b6d46cf56625047f4ea98901e590042a639c |
| SHA256 | 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe |
| SHA512 | 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44 |
C:\Users\Admin\AppData\Local\Temp\Wheel
| MD5 | 9b2a8a04d727774a059123853431da52 |
| SHA1 | 044243e59523da7f69883cacbe70b7d7e46680af |
| SHA256 | 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34 |
| SHA512 | 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41 |
C:\Users\Admin\AppData\Local\Temp\Compliant
| MD5 | ce199702c46497d8573fff4d78e606a2 |
| SHA1 | 4149d73fe6c348f3dd216accb03b421bf89746f9 |
| SHA256 | 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141 |
| SHA512 | cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8 |
C:\Users\Admin\AppData\Local\Temp\Enclosure
| MD5 | bbac00d76756f7e775caa2e7673bee76 |
| SHA1 | 0a90c5032342eaaf8f71561ef08e481a48ac97d8 |
| SHA256 | bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e |
| SHA512 | 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341 |
C:\Users\Admin\AppData\Local\Temp\Character
| MD5 | 0a1ef968221e799d9e7d3c5b12d9b9b1 |
| SHA1 | bd9dcc813c6d765351db4b4ba701d71825a2f5ef |
| SHA256 | ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d |
| SHA512 | a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24 |
C:\Users\Admin\AppData\Local\Temp\Multiple
| MD5 | 0a08672b60c9b7bd5aed7985bfb194a6 |
| SHA1 | c3d2799f59e12976262fbdd782e9d6083bc004b2 |
| SHA256 | 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7 |
| SHA512 | cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa |
C:\Users\Admin\AppData\Local\Temp\Personnel
| MD5 | 59b719c0307872b1da8a8eb6498d04fe |
| SHA1 | cd66a30e1ab756972af8db9da3a79ffd24cb73f0 |
| SHA256 | 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6 |
| SHA512 | b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd |
C:\Users\Admin\AppData\Local\Temp\Square
| MD5 | 6429d982b44da0c5e510074891c84d05 |
| SHA1 | e7e7d5376c981b57804db2046ab1e589b5b1e20d |
| SHA256 | 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01 |
| SHA512 | 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267 |
C:\Users\Admin\AppData\Local\Temp\Diane
| MD5 | 37a4a09d5a64e8ace90d57aee1c9a5ad |
| SHA1 | 56dd4fa0e929c9186cfa005ada20c395c017d92f |
| SHA256 | 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44 |
| SHA512 | d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65 |
C:\Users\Admin\AppData\Local\Temp\Yield
| MD5 | 9a8c4882c63e83dea3414ce89bffd3e0 |
| SHA1 | 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81 |
| SHA256 | 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6 |
| SHA512 | 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e |
C:\Users\Admin\AppData\Local\Temp\Oxford
| MD5 | 3d7c41e63345ab502ff6d0024125c72c |
| SHA1 | 482d14af919dd112882720b31dede0d2bb9d6fc9 |
| SHA256 | 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c |
| SHA512 | f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125 |
C:\Users\Admin\AppData\Local\Temp\Assess
| MD5 | 56c7199ed2cebda70cb95b6250ff2026 |
| SHA1 | b677160ff55e8516d8e82f98b4fef2a6f9427521 |
| SHA256 | f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af |
| SHA512 | 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982 |
C:\Users\Admin\AppData\Local\Temp\Law
| MD5 | 8b8d133bbbcda6868db32b7322bded98 |
| SHA1 | 13cb7f0dc27fba999eafd358cc1ce8c741055ede |
| SHA256 | 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2 |
| SHA512 | f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935 |
C:\Users\Admin\AppData\Local\Temp\Facilities
| MD5 | e2fb39632419ec4af6b00159c7e9ea3d |
| SHA1 | 569f27f26870bf3b5c8dbabd61e5af08a66fb37e |
| SHA256 | 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6 |
| SHA512 | 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9 |
C:\Users\Admin\AppData\Local\Temp\Dry
| MD5 | ac97bdfbbc2cd99efb112947efc095e3 |
| SHA1 | d1c13589219246e0fb41b1d0320d0ddd881ee32d |
| SHA256 | 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d |
| SHA512 | 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4 |
C:\Users\Admin\AppData\Local\Temp\Ethnic
| MD5 | bfafcd4f6f1a7cab7e6587ce30a9ac26 |
| SHA1 | 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4 |
| SHA256 | f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7 |
| SHA512 | 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47 |
C:\Users\Admin\AppData\Local\Temp\Ton
| MD5 | 08d5879bcf6e0fc11a3975c848c84ec6 |
| SHA1 | 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12 |
| SHA256 | 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468 |
| SHA512 | 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb |
C:\Users\Admin\AppData\Local\Temp\Leone
| MD5 | 4ef39b19f1f3377c48213ee58430aba3 |
| SHA1 | c0f8f8ca22791a892006e305318bbdad72ec5516 |
| SHA256 | d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966 |
| SHA512 | 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61 |
C:\Users\Admin\AppData\Local\Temp\Threads
| MD5 | 467cee0e396bf3375b0d41c42bf83463 |
| SHA1 | 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de |
| SHA256 | d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975 |
| SHA512 | 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a |
C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\301998\B
| MD5 | d4850f35ef5d00d52ac27c403b4483b8 |
| SHA1 | be17e7dbcae50cade2ce2e662ceea543608ae888 |
| SHA256 | 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493 |
| SHA512 | e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec |
memory/4312-82-0x0000000000A00000-0x0000000000BE0000-memory.dmp
memory/4312-83-0x0000000000A00000-0x0000000000BE0000-memory.dmp
memory/4312-85-0x0000000000A00000-0x0000000000BE0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:05
Platform
win7-20240704-en
Max time kernel
117s
Max time network
130s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2596 wrote to memory of 2812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\tmp\PresentationCore.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-30 08:01
Reported
2024-08-30 08:04
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3144 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3144 wrote to memory of 3152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\wcp.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mi\wcp.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3152 -ip 3152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |