Malware Analysis Report

2024-10-19 08:59

Sample ID 240902-sc4k1ssgmj
Target File.zip
SHA256 ba3f54fe75f6e2ab228bf597b121fbdcd9435cad271ea6d8419f68740b0920b4
Tags
lumma redline stealc default leva logsdiller cloud (tg: @logsdillabot) credential_access discovery evasion execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba3f54fe75f6e2ab228bf597b121fbdcd9435cad271ea6d8419f68740b0920b4

Threat Level: Known bad

The file File.zip was found to be: Known bad.

Malicious Activity Summary

lumma redline stealc default leva logsdiller cloud (tg: @logsdillabot) credential_access discovery evasion execution infostealer persistence spyware stealer

RedLine

Stealc

Lumma Stealer, LummaC

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Identifies Wine through registry keys

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies system certificate store

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 14:59

Reported

2024-09-02 15:35

Platform

win7-20240705-en

Max time kernel

572s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\Qy03dVmEhkuHavYp2mWPCx7T.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\28vZFGj2kcIPzJnUVkzRJWfQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\99JqZnF0da9EvA3BzVvsLIuU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminEGDGIEGHJE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminFHJDBKJKFI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2812 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2812 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2812 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2812 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2812 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2812 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2812 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2812 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2724 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2980 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe
PID 2980 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe
PID 2980 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe
PID 2980 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe
PID 2980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe
PID 2980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe
PID 2980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe
PID 2980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe
PID 2980 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe
PID 2980 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe

C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe

C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe

C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe

C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe

C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe

C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe

C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe

C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe

C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe

C:\Users\Admin\Documents\iofolko5\28vZFGj2kcIPzJnUVkzRJWfQ.exe

C:\Users\Admin\Documents\iofolko5\28vZFGj2kcIPzJnUVkzRJWfQ.exe

C:\Users\Admin\Documents\iofolko5\99JqZnF0da9EvA3BzVvsLIuU.exe

C:\Users\Admin\Documents\iofolko5\99JqZnF0da9EvA3BzVvsLIuU.exe

C:\Users\Admin\Documents\iofolko5\Qy03dVmEhkuHavYp2mWPCx7T.exe

C:\Users\Admin\Documents\iofolko5\Qy03dVmEhkuHavYp2mWPCx7T.exe

C:\Users\Admin\Documents\iofolko5\heVKpNhdRmYgMPmmxDaI7ca3.exe

C:\Users\Admin\Documents\iofolko5\heVKpNhdRmYgMPmmxDaI7ca3.exe

C:\Users\Admin\Documents\iofolko5\s8fritnOncXPE7IsalCjwqnP.exe

C:\Users\Admin\Documents\iofolko5\s8fritnOncXPE7IsalCjwqnP.exe

C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J2SJ9.tmp\zcmMGoW5csPaIbsXOpRC460o.tmp" /SL5="$90216,3863733,54272,C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe

"C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEGDGIEGHJE.exe"

C:\Users\AdminEGDGIEGHJE.exe

"C:\Users\AdminEGDGIEGHJE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFHJDBKJKFI.exe"

C:\Users\AdminFHJDBKJKFI.exe

"C:\Users\AdminFHJDBKJKFI.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\FBGHIIJDGH.exe

"C:\ProgramData\FBGHIIJDGH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\KJDGDGDHDG.exe

"C:\ProgramData\KJDGDGDHDG.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBFBKFIDHIDG" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
NL 62.133.61.172:80 62.133.61.172 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
NL 62.133.61.172:80 62.133.61.172 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 prodesarrolloapurimac.pe udp
RU 31.41.244.9:80 31.41.244.9 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 76.76.21.123:80 file-link-iota.vercel.app tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 80.66.75.114:80 80.66.75.114 tcp
RU 176.111.174.109:80 176.111.174.109 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 76.76.21.123:80 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
CA 51.222.104.23:80 prodesarrolloapurimac.pe tcp
US 76.76.21.123:80 file-link-iota.vercel.app tcp
US 76.76.21.123:80 file-link-iota.vercel.app tcp
US 76.76.21.123:443 file-link-iota.vercel.app tcp
US 76.76.21.123:443 file-link-iota.vercel.app tcp
US 76.76.21.123:443 file-link-iota.vercel.app tcp
US 76.76.21.123:443 file-link-iota.vercel.app tcp
CA 51.222.104.23:443 prodesarrolloapurimac.pe tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 77.105.164.24:50505 tcp
DE 147.45.47.36:30035 tcp
FR 147.45.68.138:80 147.45.68.138 tcp
FI 95.216.107.53:12311 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 188.114.97.0:443 locatedblsoqp.shop tcp
CH 147.45.44.104:80 147.45.44.104 tcp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 188.114.97.0:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 stadiatechnologies.com udp
GB 95.164.119.162:80 stadiatechnologies.com tcp
FR 147.45.68.138:80 147.45.68.138 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
FR 147.45.68.138:80 147.45.68.138 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/2980-85-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-86-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-88-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-100-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-101-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-99-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-98-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-97-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-95-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-94-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-93-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-92-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-91-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-90-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-89-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-96-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-105-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-106-0x0000000000630000-0x0000000000810000-memory.dmp

C:\Users\Admin\Documents\iofolko5\dFoniXl486rP1Xuxv869FJHp.exe

MD5 1f30521b2e25d97f2a8a92531997debc
SHA1 1bf5eb58c18be3083d426dfadbaab48f84876229
SHA256 ed839ef9e63eda1248758bd9260d760f9e1ea0ab4643994dde37bd304dfcf508
SHA512 3542b4c32e4578303cfdc605021038b36d583fd3cad281b3ecdccb38347659ee1df7fd3a161fb360b3540bd6d72cc5259e6adbf4e047fca7585c4d3d1454745c

C:\Users\Admin\Documents\iofolko5\99JqZnF0da9EvA3BzVvsLIuU.exe

MD5 67a51322cbb161374023771f2fa9c1d5
SHA1 0162a4171c983605374a295a57a7ba6a58622ff5
SHA256 ef7e913e51b970193a61248fccf25fa32f9efbdc82953ca0850d9607e87cdd68
SHA512 71e4962d123a21d763a6d88899c35df1f7a0712bd33995fd61e548deb4d1d2c135000330d5f2dd843c69cd8f92c42295c9e0f2c2a288a4f3c81496e83a837ce1

C:\Users\Admin\Documents\iofolko5\heVKpNhdRmYgMPmmxDaI7ca3.exe

MD5 9ccfc9b35faf4c02d6d8c4d6430f94bb
SHA1 bf4d401d466b5c004141484d0bce7b5d12960a75
SHA256 17755d80106436dddce6838115080879d71e018056ed2f72470ff8ddb7a48739
SHA512 b2d175d1cfaf81694769ddde1e1a78be0af7caf4928a93be3b8902517495f93878ef70ee49aa5cebcd9b636f5fa4bda7a19f366b48ec00356475c3ab9c688c6c

C:\Users\Admin\Documents\iofolko5\28vZFGj2kcIPzJnUVkzRJWfQ.exe

MD5 155105824c859e795361a482d2553c57
SHA1 facfc45f60b4d5110232e9579638d9ca293221e7
SHA256 30bc474ae7ee49eb799aed9aaff0954cf61aea144929c7ce4ac083d6b9930070
SHA512 4504f9d1177c9eaa825255eca92b8c042ebf6ce0514dcb04f498d92e9528b131143ad12c1d63a21e0a9a87079e6caf1b5aa3966a538a00c5455626fcaf945c6b

C:\Users\Admin\Documents\iofolko5\rxSPe0VhYd7XZLspjdwfjhAw.exe

MD5 e81c71d0c270fa8d67b4ec8b1e968479
SHA1 bf33b5e1b7b694909de07a3447f84362fa766600
SHA256 d92729a5a6186ae6dc688de6b0c3774c43f7788f50c09a3373306fa553750691
SHA512 72298ce9e81a84c878a1eba30d1acad2d0d04567b0081ec7593fce17082a4aae8c0ac28bd4cf7943e55fecb61737fb8a3df5b0edebe79e6582846ec5d5a51af4

C:\Users\Admin\Documents\iofolko5\zcmMGoW5csPaIbsXOpRC460o.exe

MD5 22e3086fa71d9cc3418a00372ef05ff8
SHA1 97dbc4e6cd4d5c40379ab5fc67a9c690f0bf48dd
SHA256 52caacc4df11ab50c9cc0cac8715d046312167c6e6a2b2f5a756f1979ae2db86
SHA512 f41724beb373db7ff2e2f20e883a316e57a4e70c0809629583fc253f88fa211a5eadc3788a5747fb8353bb3237d3234dce2593dde27b40f12520d23b58dad738

C:\Users\Admin\Documents\iofolko5\3RGJ8Aixuve9p_byQRAr1nZf.exe

MD5 d4ac1a0d0504ab9a127defa511df833e
SHA1 9254864b6917eba6d4d4616ac2564f192626668b
SHA256 a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA512 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5

C:\Users\Admin\Documents\iofolko5\Qy03dVmEhkuHavYp2mWPCx7T.exe

MD5 d8ecb462d3046a0ee172551c5d505c8e
SHA1 54f9e16b497579964e9afc90c3c0c208f16b4418
SHA256 afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f
SHA512 9eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e

C:\Users\Admin\Documents\iofolko5\c8jWcBGIoa02Casq2Fj3dovU.exe

MD5 24366096e1851e1ba5f3059095522f63
SHA1 4f3a72cef34d2016e59017200c18ffe31d04302e
SHA256 8f65a8cb816ceaf16b353434261c320bfe8cf9907dd0f73e1a8eea42cd5694be
SHA512 4dd2b7768c6470c9f1c1817f97e4418829aa75afa501506bf45ffc3ef75200f3fb27f0baee028567ebc6fc71572a5d08c1f34acbf731ace8ff7c69932cd93edb

C:\Users\Admin\Documents\iofolko5\s8fritnOncXPE7IsalCjwqnP.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

memory/2980-187-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-200-0x0000000007CA0000-0x0000000008314000-memory.dmp

memory/2980-199-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2316-242-0x00000000001A0000-0x0000000000814000-memory.dmp

memory/2980-241-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2200-232-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2980-251-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-228-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-221-0x0000000007CA0000-0x0000000008314000-memory.dmp

memory/2980-220-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-215-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-211-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2980-194-0x0000000000630000-0x0000000000810000-memory.dmp

memory/2116-254-0x0000000000B70000-0x0000000000E62000-memory.dmp

memory/1636-266-0x0000000000070000-0x00000000000F8000-memory.dmp

memory/1676-269-0x0000000001220000-0x0000000001254000-memory.dmp

memory/2924-268-0x0000000001030000-0x0000000001068000-memory.dmp

memory/684-267-0x0000000000860000-0x00000000008B4000-memory.dmp

memory/1740-276-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1740-278-0x0000000000400000-0x0000000000643000-memory.dmp

memory/2316-275-0x00000000001A0000-0x0000000000814000-memory.dmp

memory/1740-287-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1740-286-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1740-284-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1740-282-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1740-280-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1740-307-0x0000000000400000-0x0000000000643000-memory.dmp

memory/996-305-0x0000000077610000-0x0000000077612000-memory.dmp

memory/996-303-0x0000000077610000-0x0000000077612000-memory.dmp

memory/996-301-0x0000000077610000-0x0000000077612000-memory.dmp

memory/568-300-0x0000000000400000-0x0000000000452000-memory.dmp

memory/568-299-0x0000000000400000-0x0000000000452000-memory.dmp

memory/568-298-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2116-339-0x0000000004EE0000-0x0000000005080000-memory.dmp

memory/1740-292-0x0000000000400000-0x0000000000643000-memory.dmp

memory/568-295-0x0000000000400000-0x0000000000452000-memory.dmp

memory/568-293-0x0000000000400000-0x0000000000452000-memory.dmp

memory/568-290-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2116-340-0x0000000005450000-0x00000000055EE000-memory.dmp

memory/568-288-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2116-341-0x0000000000930000-0x0000000000952000-memory.dmp

memory/2644-360-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6FF3.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\Cab7AFC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7B1E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1192-471-0x00000000000F0000-0x0000000000124000-memory.dmp

memory/3040-495-0x0000000001180000-0x00000000011D4000-memory.dmp

C:\ProgramData\CBFBKFIDHIDG\FBGIDH

MD5 c61f0bee83c8a956f2cf4ceba90bebc9
SHA1 f4f61f0e65b7669be468cacaf8e00b2f30cb46cc
SHA256 601c578f842ad1a4c743f3bf049d691225697819abe9b75bfe156264412e28dc
SHA512 e6949a72e8bc26fd2910339ae75f22a36a0ad0bf9579bb2a0ada2ee2b8fb3a1b3891756eec774d4a64263e937c6ae768249e64874c559bb2f1b69d2d38bfceaa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\mozglue[1].dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\CBFBKFIDHIDG\CGDHDH

MD5 8eeaaf8cdd40a447c600b61174601204
SHA1 4f8ac09588a86bd224776e685669459204f00e6c
SHA256 2eb7073deca02dbf04d65329e12a76ffc5cb08001a3d166fd27e48fa3603f4f3
SHA512 cd6ceb36440621e5b7e144e29092d93ccf362906baa0e5bda6c49cc62ed9f18bdaa07a0075d3067b6a292deb89e8077306f0bf01ec2a704d1bdd9f514a137484

C:\ProgramData\FBGHIIJDGH.exe

MD5 1848bfbfb02bed98ca43832f3743dd79
SHA1 70c54098a69e6e216d3a7d84867e778a1da86fb2
SHA256 8c60a45cb4a712a18839f011f85b3b11ba67d4db03b155bd64c5eda20534a309
SHA512 1230e90eeeee00aa67794be71fa0692bb706b2d445a86653cad10d0e328ca7d4301d8e881a6895bdae09ecd77217b1ba785eb01ea451b04571242349635f95dc

memory/1172-572-0x0000000000830000-0x0000000000884000-memory.dmp

memory/2104-600-0x0000000000E70000-0x0000000000EA4000-memory.dmp

C:\ProgramData\HCAFIJDGHCBF\HIJEGI

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\HCAFIJDGHCBF\BGIIDA

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-02 14:59

Reported

2024-09-02 15:36

Platform

win10-20240404-en

Max time kernel

332s

Max time network

405s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4576 set thread context of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 208 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 208 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 208 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 208 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 208 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 208 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 208 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4576 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4576 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
US 185.143.223.148:80 185.143.223.148 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 8.8.8.8:53 148.223.143.185.in-addr.arpa udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/3996-86-0x0000000001840000-0x0000000001A20000-memory.dmp

memory/3996-87-0x0000000001840000-0x0000000001A20000-memory.dmp

memory/3996-89-0x0000000001840000-0x0000000001A20000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-02 14:59

Reported

2024-09-02 15:37

Platform

win10v2004-20240802-en

Max time kernel

437s

Max time network

442s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4992 set thread context of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 624 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 624 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 624 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 624 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 624 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 624 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 624 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4992 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4992 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 185.143.223.148:80 185.143.223.148 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 148.223.143.185.in-addr.arpa udp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/452-86-0x0000000000D20000-0x0000000000F00000-memory.dmp

memory/452-87-0x0000000000D20000-0x0000000000F00000-memory.dmp

memory/452-89-0x0000000000D20000-0x0000000000F00000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-02 14:59

Reported

2024-09-02 15:37

Platform

win11-20240802-en

Max time kernel

442s

Max time network

445s

Command Line

"C:\Users\Admin\AppData\Local\Temp\File.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4728 set thread context of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ResourcesBrake C:\Users\Admin\AppData\Local\Temp\File.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\File.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\File.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2292 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2292 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2292 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4728 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif
PID 4728 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Processes

C:\Users\Admin\AppData\Local\Temp\File.exe

"C:\Users\Admin\AppData\Local\Temp\File.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Least Least.bat & Least.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 301998

C:\Windows\SysWOW64\findstr.exe

findstr /V "HazardousJimmyLiableHowever" Italic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Draw + ..\Cherry + ..\X + ..\Polyphonic + ..\Hills + ..\Gnu + ..\Key + ..\Detect + ..\Ur + ..\Planet + ..\Bed + ..\Davidson + ..\Ring + ..\Makers + ..\Pest + ..\Divx + ..\Wheel + ..\Compliant + ..\Enclosure + ..\Character + ..\Multiple + ..\Square + ..\Personnel + ..\Diane + ..\Yield + ..\Oxford + ..\Assess + ..\Law + ..\Facilities + ..\Dry + ..\Ethnic + ..\Ton + ..\Leone + ..\Threads B

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Quantities.pif B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 xkVzCXvwjwWCYmSHUQeEkaBORC.xkVzCXvwjwWCYmSHUQeEkaBORC udp
US 185.143.223.148:80 185.143.223.148 tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Least

MD5 27ae911f596e4ff92e29f972adf0e0b9
SHA1 d01b96e291a76541cde9eff35c978e18f40c41c5
SHA256 c37cc0ab2dcaae684779b24c11f5bf48b9b7aa94f62a94522b2c458ae0c6cb3e
SHA512 54e7898f163fcbf9ec866537176431ec65d8bf42e74c7deae0e617c50d66429baecbea06e48bcf65f4f53e70d2c83705e3bdba055f6281cb72e260cbaa0977c6

C:\Users\Admin\AppData\Local\Temp\Italic

MD5 28223818ad5996d2af9084c5d6417555
SHA1 0d60f098499444a4ad9d6ed5bfccf493f98233a1
SHA256 e8837d92ea93af0d611d015136edac2931d55b48b5b2dbb4a28d693edbae2562
SHA512 73ee5309103cbc5f1bb2a27dd4a0843f6309634856e4c073a0838d3a7dd4f656c004930aef5f89c4f5f119e7985d73fe342c205ce678439b28241c3f657c89dd

C:\Users\Admin\AppData\Local\Temp\If

MD5 f46f96d88296c0f254a435da379fda59
SHA1 a62c442c43a152958e98f921f9cf84b238e0db39
SHA256 1a8847054fc8c2dbbffda2ce3cf83ed426aab2523a5b5099c854e8c1db73a3ef
SHA512 6b260673d7e6c3685db1c5fc9d84ba3ad48f9d62c496104618701052cebb627926e920d25630092ec60e53853161026445811216fc99d17537c9bcf5fa8124f7

C:\Users\Admin\AppData\Local\Temp\Draw

MD5 45b8bf23975a16a5f1d543a1d6113712
SHA1 23005543f09c26211d1a5025b25ecb064e11cda2
SHA256 7fa04aabf5b37035562a1c3b43d0909d4caf3f1051c45612f7f326bc5557019a
SHA512 7c8a625d49aa26c7e8918d3821671802f6cf6178493db313e4444adca0e06648e92ee8d3b1aa35836b777e8bbc63b9b2b9fdb0710837d51cd41185fb984fe6a4

C:\Users\Admin\AppData\Local\Temp\Cherry

MD5 461c27a459b970f2b6e8a0c4d804d08b
SHA1 2667edbf37e403e0b8ef91853f939b439c71ca47
SHA256 1054efc0fd86059cba679cbb15ddf578f6da7c11ff0055f001b152001951b252
SHA512 2c6c1b78e384d6ad9c780059e5b3b472554b949e73bd76d8749f6e66accb5a27fe02a914edc0f7663cfadcdd7cbe457c92b9b3c784e51425238b993574083770

C:\Users\Admin\AppData\Local\Temp\X

MD5 42f1f4f3dcc546c4d2ffd6fc34ae0d59
SHA1 72089da6297e2559aee066beeef041d77c995605
SHA256 4ec55a686cf1b914e7a459899882d4d462bb714d0b7550b98b57c132f4bc7c43
SHA512 47af27cb9af6b25250b550c1ef5d0ee86b71dab439ed1ec3c5ad9ac734000aa15fe4dae63e1b5afb739fdae3a18f856ecaae6036f995fa65fc9ad07fe04618d3

C:\Users\Admin\AppData\Local\Temp\Polyphonic

MD5 487876f6d1b96fd922a958c48d48a830
SHA1 b3bab66966fdf53f51a10304145b84dce7f29429
SHA256 4fa73558dffe2ce4b6dcd7a661bd6c41fce39d1689db55480002a20fa59f018e
SHA512 549f64f8ec1bc2932ea736a603196974f77ec4f31da2e97869a3713bf34e65200fd1bf842e82f651bebcde7a380dffad0f74c15e887db4186b5c7ac71cf742f4

C:\Users\Admin\AppData\Local\Temp\Hills

MD5 0515a4a5459d9d6bc894757b4dfa7caa
SHA1 e942627a02f5e0ded90a200ee1e241633b492418
SHA256 e9b80ca62f5ba9204d2420eb979be20b5c9c236d89fd4dc4dc94e6b4e17fda3b
SHA512 f4f09f56d4bbea847151fdec88ddea0a1fc489f551bab16b7e9cd71b40955017a3e370fe627e430e494b5968a7e78e9db89b65d40542947899b4b38ae47d8539

C:\Users\Admin\AppData\Local\Temp\Gnu

MD5 2caf2ad60def740a225604bbff7be58d
SHA1 b7883efafdcd1d172c50676d0cdcae4cdd0a81d0
SHA256 d65123deceb9027fd4dd4c3b5d86182664c1d04f625f340cb8a52d0c5a4dfcfb
SHA512 904a385b808db2d6a355fcbf8d1f048544bb82160dd75f4820b807c8296166dfa1338850e6c4e1166475c0ae97642ffdef58d21606e73ebbef8deb2607f5022f

C:\Users\Admin\AppData\Local\Temp\Key

MD5 5b550dc8c634b092a3b92c134e0814a2
SHA1 7d7378be716a5cbd1c48ed7ae4accefd46e78260
SHA256 b44dbef8eb98f957dca4ae0b0679c246c7da05165232e1aca5e1e076b89cec34
SHA512 4921a470ab69e4eca945d0c25cc45c34182aec695e64dbeac9243bc73cf9576302f2a18b29d0c82836660841a6a761fa943c8220117d26bdd19ca109bc7185e5

C:\Users\Admin\AppData\Local\Temp\Detect

MD5 288a651ff72fe49bd01f767d0953f592
SHA1 1cf1d7cd809ad39ab0f5e3217cc4a7de55aea88b
SHA256 74a7d876e9fe8736b56676131f0af61f03a2fcaed11aa0ed1610bc21cbe6726f
SHA512 57af339bfe2c13a9391bac81b018d01a2e0a1dc44b7beda9519046b8b89f5b7631134b1cc19e2de6c9358ea95770a4b1152d14d8fe1ab1e954c1a0dbc5fb0ce8

C:\Users\Admin\AppData\Local\Temp\Ur

MD5 c09313c5cb9b0bbb55925207a89663ce
SHA1 3523b3a68c85f908c6ffa3f45315168d88ac7b92
SHA256 5995508c177afe660d9a67765c34093fa4bf78db4acbe5fdbafde05c220cd229
SHA512 28fe1473e32304afc5612aff4a923aa2ed44835d821631dd980ad6850aa814ee199a7122364e0a05dba08cdd266b2220e065c8430faa5193afb3f37646ace416

C:\Users\Admin\AppData\Local\Temp\Planet

MD5 b5b4f986168680189f25497ec3c96cac
SHA1 aab716d4d4cc1ff40a4497bfa68388c0a087a2d2
SHA256 5c587d588e34fd317bf9a655b00486f790aad48c74e93bd81942a7ff5a6bae8a
SHA512 37c0ae9860822f9df36f796fc8836dae3484f2231d246b763f2f58a83048452da63ce1cd5d40df3372f94087987bd4125ba4283f900a5dd1e16f12d6f3a901e8

C:\Users\Admin\AppData\Local\Temp\Bed

MD5 27f0060738094e127687300ae907902c
SHA1 997fa44fcb9f34238009d9f0707bbf001b23c5c1
SHA256 694aab38f7507135b1f830ceff868fdb3d30081834f053562a47e362874966de
SHA512 8519c1b861d28503c267c3b78aa24bd36e48fd181e20d0b804fc877ea5780647e184c9bc31bbf092a4856ac260fe669c1e5f8a09d9c0dde521a6c5b0d4697daa

C:\Users\Admin\AppData\Local\Temp\Davidson

MD5 6a3b014f3d3b9431c07cd04fdcb24fc7
SHA1 37e6e1204cf556c95129dad3cc95f0ed44c44f8c
SHA256 0446d64401a239d411ced7399ac3879ccaf7ccf3f1dc576f917081c90833ca52
SHA512 fb71c74f8d2a1209c532e6aa4c4bfccc3c8152f1d59863869f40b8ee5efc68a204f28cf208896e68a131d8653c3110188b1b91820806d6b7ca1dbbce28cac941

C:\Users\Admin\AppData\Local\Temp\Ring

MD5 bad9266e83c5a8cbb891480043544b3f
SHA1 11be22646fc01779949e01c1e35bf6894b043967
SHA256 61e28767fc896ead642afc27d6270fcd3bcc2d394259033e6ca2b5c697d07cf2
SHA512 3a89bc933d74c661743cbd5b6e81449a7f4f1cefef9288aae23de66109c47c3f751a122a0d560941af116dcb563804a68efe505411b7ff6a3e51f1bee76a088b

C:\Users\Admin\AppData\Local\Temp\Makers

MD5 77a924a4b154bba5d0581e424e700425
SHA1 38131e21bb10bf257252d2d0dc7a7d66456de193
SHA256 2a5ea2c603b307b2a4be04cdc2f990ed66cbe89b88012374afe1c74ea5a4f021
SHA512 503b44e9f3f6bfe9d5f27ffce83421f31a2d40c8f2efb083a1a5fda18043005f0b1fd379eeb36a25a4efe70747a485d4aa9f16cc7dd11ad9e24e006dd2f6e50d

C:\Users\Admin\AppData\Local\Temp\Pest

MD5 575d7d44665232ecd37b6d552b8594bb
SHA1 8791cf94559ae076c5ae7461d88cd32220fd5170
SHA256 da48284b6f8f3e874f49d1e7c1e366df77188ee03ea1df8498e5268ceccdeeb7
SHA512 a69e8fedb445a1a6c87920e7c98726c50140265ae3e3b4b5eeb9cc75a41c9e92a9f4044fdecf20bbf7cd312b95546236807686280f8ba1d9763fd88e0d398f66

C:\Users\Admin\AppData\Local\Temp\Wheel

MD5 9b2a8a04d727774a059123853431da52
SHA1 044243e59523da7f69883cacbe70b7d7e46680af
SHA256 65ebbbdf4b74c904186f02b51ffc20dd2d2f42fce7853f2c4551a8145ac79a34
SHA512 30fd1b9cf96efc52302b6a657d36e1550f4efe2c54fed66c8f010a231fbd7fe6b394f144aba7f8acb6272f6d79ed8d02c2de0582380039e2b883c32104aa4e41

C:\Users\Admin\AppData\Local\Temp\Divx

MD5 109ea3b3fcc30a657196811b0b8bb8e5
SHA1 81d9b6d46cf56625047f4ea98901e590042a639c
SHA256 90b3bbfc57f2ec861967df49d28b096939d14d73bc140e66e26b76e8dea72cfe
SHA512 084ad1101c565777e80dcbd51db53e8744dc56e6acddf1c70a1cab342c6dd757775b44f10c335cb9f73a25560201e540b63c9071649b5adad39cc8bac2816e44

C:\Users\Admin\AppData\Local\Temp\Compliant

MD5 ce199702c46497d8573fff4d78e606a2
SHA1 4149d73fe6c348f3dd216accb03b421bf89746f9
SHA256 254b36623f36af7fd266439424d70773b8bb8ee5727fa9a356f259e9ae004141
SHA512 cbf407cdb23bbfdfe17ebd27de6b7d8d361c15f6a762b600f3843730107fcd153d9ab66c33b1297d94676dab36dc063ed32114a9b1d8b5bec0241d082e5a82e8

C:\Users\Admin\AppData\Local\Temp\Enclosure

MD5 bbac00d76756f7e775caa2e7673bee76
SHA1 0a90c5032342eaaf8f71561ef08e481a48ac97d8
SHA256 bb69dde5b0cd261b3292e10274a8b5f9c1528460ea25ba1b6c856de30717ec3e
SHA512 68ab337f808dbe92a092740b66c0efdcc65a04ebaba675078c77ee535bc6b1532ce46364f8d874cbb20f76b56d3979784ca84ec2f9f498e259318c40ce5c0341

C:\Users\Admin\AppData\Local\Temp\Character

MD5 0a1ef968221e799d9e7d3c5b12d9b9b1
SHA1 bd9dcc813c6d765351db4b4ba701d71825a2f5ef
SHA256 ce6da782b3bbf951be87034d468d8092997d4e3b38a70d948109ac581d61ad5d
SHA512 a8ba7086ed43deb32126f65560bab5f9d3f3d2d8572c7e6ea346201ea2deaf9e28ccb2658ac7340ca47e5cddee329eb4e6f235b3d88c7a1abe79f3c4b6c98a24

C:\Users\Admin\AppData\Local\Temp\Square

MD5 6429d982b44da0c5e510074891c84d05
SHA1 e7e7d5376c981b57804db2046ab1e589b5b1e20d
SHA256 1844bd9296370a236238453fac7315b5bbabfe63e1d4fbad4cf20e718b36cb01
SHA512 18da00c81f95f4fe00d3b5f09ced7cd186e58f6f115b122339f6dc54b46fafc92e803998336aeae14bf3f5ce322ae276e48a4319dda4134a06b9a9077cc33267

C:\Users\Admin\AppData\Local\Temp\Personnel

MD5 59b719c0307872b1da8a8eb6498d04fe
SHA1 cd66a30e1ab756972af8db9da3a79ffd24cb73f0
SHA256 08bb0260a5ce5a0be8fec1994802d0aef3bfaba8e8053d524376982ab2625bb6
SHA512 b57858b21009b4ae5f14312d5ae5f47bcb55c8d83bf148f5757e1f380bf898569045ea177cca7fd8c9803ccaedc1f1f085cf7f86e510b18c033c5f2008a206dd

C:\Users\Admin\AppData\Local\Temp\Multiple

MD5 0a08672b60c9b7bd5aed7985bfb194a6
SHA1 c3d2799f59e12976262fbdd782e9d6083bc004b2
SHA256 2aab597acfbc2f68e8bab76e22ce1302dc37b16f8bb37b0f97334fdebda8eba7
SHA512 cc2e5642e2f9e2e3397c05281b5c33b9159812d8ba7b3a94a418fd823e7236d54b86459400d7d90a570a9c1e59ae8d5ca93a5d8e1fd3a456ae2b909213d4e9aa

C:\Users\Admin\AppData\Local\Temp\Diane

MD5 37a4a09d5a64e8ace90d57aee1c9a5ad
SHA1 56dd4fa0e929c9186cfa005ada20c395c017d92f
SHA256 1ccbaee7a732855a7e2c6b1bf4aeed6a7d5f630574da09370b41b265929e5c44
SHA512 d8ab6d470a797cffee28d3f252c6b6d132408766b006f5a9da6c37cbe168f93338b103e18f12a333b3e7c8f91a22d7b4022de43ce5ccb3b98a766dd6fe729b65

C:\Users\Admin\AppData\Local\Temp\Threads

MD5 467cee0e396bf3375b0d41c42bf83463
SHA1 0a73ffcfbc91ee99d3b6ce4473cdde36469a19de
SHA256 d7a1560c445fbf0a2c85201e1133fe5b3024036abfaa83b04a587197141ed975
SHA512 0ce241a481435694607a1f34ec330bcb629648098bd18489e505c400b18f40a7ccb1a39b9e6529b604c019f0b46e94a93e6e0cfc2987803ae20db7e0f4a6e95a

C:\Users\Admin\AppData\Local\Temp\Leone

MD5 4ef39b19f1f3377c48213ee58430aba3
SHA1 c0f8f8ca22791a892006e305318bbdad72ec5516
SHA256 d73211af5f67430e6c032f0eb19f5d7b66a3f830150980395c86b5db9fac8966
SHA512 22e7aaddfb6bf52b56cf928f465eeeb6c006e10f3db84f2dad74c1dc5f69e86b03eee19008fc303c0411d9e98f1f857005f21338fb9b1bf6ebd6c0da6cff0c61

C:\Users\Admin\AppData\Local\Temp\Ton

MD5 08d5879bcf6e0fc11a3975c848c84ec6
SHA1 7ce5a8ce9a1d398e7f2782745757c8ec945b2c12
SHA256 65550495ad097555488a196fa79701060118ccf40147a9c20580846eda899468
SHA512 284e419e97334c864653c7dbe85eaaa25468c5e27c8fcdd1859b110f7d01c39848f905d092d40c073c2183694c096da6e4397ac17ebfdef93b8db3bfd7c3b6bb

C:\Users\Admin\AppData\Local\Temp\Ethnic

MD5 bfafcd4f6f1a7cab7e6587ce30a9ac26
SHA1 498bcfbecbbccc6ff513225aea2a7e2dc057c6e4
SHA256 f68bdac531a796680fb05b8fa9cbc8fc8d8e3e7cc6ccffa9441b9212c5cc3aa7
SHA512 15e3ccfeccfb2f16a18a3d9ea9a565404aaea1c9018f984843dfafd6e6adda332a47020131d535a9af93f508adbf53b31aec5479c1bfb76b863ce34179a6fc47

C:\Users\Admin\AppData\Local\Temp\Dry

MD5 ac97bdfbbc2cd99efb112947efc095e3
SHA1 d1c13589219246e0fb41b1d0320d0ddd881ee32d
SHA256 134e8bfdc9663f0bd1a79cca76394f55e173f28413a6827ae2f713d20307197d
SHA512 45cd56b7b2d8784ce0eb4a5a6509b9cc59fe0162391e7875c3279be98f1a9d3905f602bfb1cc1527105819d8f759623e5e3223abebe252c930ffcb5f2abbc5a4

C:\Users\Admin\AppData\Local\Temp\Facilities

MD5 e2fb39632419ec4af6b00159c7e9ea3d
SHA1 569f27f26870bf3b5c8dbabd61e5af08a66fb37e
SHA256 1bfe2e911eb01d5fa4062e75603b0cb8987e70f231f2ce1bbce407db4080f1a6
SHA512 0a87b9058b438c676046d576d19a80868e09c4c2ba6a8a192ade1aed7159840b978fef9538ce96dc27769ce93f04624fd1d175751a7c79ed6a6c7799c7db00e9

C:\Users\Admin\AppData\Local\Temp\Law

MD5 8b8d133bbbcda6868db32b7322bded98
SHA1 13cb7f0dc27fba999eafd358cc1ce8c741055ede
SHA256 7a8565c8a87eab15b9303d277c98f620772f796606817fc6ed48b62699d8a7b2
SHA512 f57e4cdfc71e7f43d3797f65c75f4561a59f02b9fd7dc877a9c66fffeaccfa0b3f9fab4c1f94a31f592b4e2a64bbbcc60547cf5963b99789882b59a401f30935

C:\Users\Admin\AppData\Local\Temp\Assess

MD5 56c7199ed2cebda70cb95b6250ff2026
SHA1 b677160ff55e8516d8e82f98b4fef2a6f9427521
SHA256 f713b70cf8a287b93ee524bafdc25e1648fa207598c8f12fb2e4e25d31a8c4af
SHA512 0efd4d9414703d3e430d4c2d73fb9d03324844d125d9a720fb5f9b4d9a2532633c2a2366412cdc361b113b709a8edf0c1acc14c494356d2d5c42513fac3e9982

C:\Users\Admin\AppData\Local\Temp\Oxford

MD5 3d7c41e63345ab502ff6d0024125c72c
SHA1 482d14af919dd112882720b31dede0d2bb9d6fc9
SHA256 36583bb23139d67154ad422631012904e3914a82f571b3699cd3313df5aac20c
SHA512 f0404c91d09993d67f2419ca012a1f89c247455a0eced104332950e5709c09e3d69bc7b3b406e7a002b388a97c770859480296f07c384eb280a57a20f704a125

C:\Users\Admin\AppData\Local\Temp\Yield

MD5 9a8c4882c63e83dea3414ce89bffd3e0
SHA1 7c085d8f3fc5148a04f8ecc2b77e195b4c39bf81
SHA256 182589c7432d01b92720a5b7d939a8f1bc1a28052a1c5c160fc692a911d73ac6
SHA512 32cfe70f6c059552c3315a2b9e5bf27c2edf832c7f0f57fa571e3eb9018843cdb2f101d9f3e899f79e7cc10e434ebf486bfadd4d5179835f10db2dd57efd8b3e

C:\Users\Admin\AppData\Local\Temp\301998\Quantities.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\301998\B

MD5 d4850f35ef5d00d52ac27c403b4483b8
SHA1 be17e7dbcae50cade2ce2e662ceea543608ae888
SHA256 88877c884aa647adc7ec2d488942d6d96f2ba1fe0fbcbfc3bf545bdfb4889493
SHA512 e97bb2d4a3b1458bd001f718f294f0c5f6ff7dfd533935be5fa61c0ba513c5896d2bd22eb80517b9e4152bf28158c71dd8e386b998cb05333e4ee44cfa767aec

memory/2228-86-0x00000000016A0000-0x0000000001880000-memory.dmp

memory/2228-87-0x00000000016A0000-0x0000000001880000-memory.dmp

memory/2228-89-0x00000000016A0000-0x0000000001880000-memory.dmp