Analysis Overview
SHA256
daa053b4eda32444723099d6f54ecb22ff53581753ecd4ccb455f68c74dc8aa4
Threat Level: Known bad
The file power systems ii.pdf.zip was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Djvu Ransomware
Lumma Stealer, LummaC
Stealc
Detect Vidar Stealer
RedLine payload
RedLine
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Drops startup file
Modifies file permissions
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
.NET Reactor proctector
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Power Settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Browser Information Discovery
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-02 16:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-02 16:01
Reported
2024-09-02 16:09
Platform
win10-20240404-en
Max time kernel
124s
Max time network
303s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\519b4c81-998e-45cb-989b-eca0383684f5\\cEb3YN9ry8jg1SsiMsJXrhaM.exe\" --AutoStart" | C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\StayOperating | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\BrokerBaby | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SurelyCabin | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\NotreNr | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SpectrumNext | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminCAFHIJDHDG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminCFIEBKEHCA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\FBGHIIJDGH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 57839
C:\Windows\SysWOW64\findstr.exe
findstr /V "ComicHoRecruitingHabits" Voluntary
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Crash.pif j
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe
C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe
C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe
C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe
C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe
C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe
C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe
C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe
C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp" /SL5="$701FC,3863733,54272,C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 612
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\519b4c81-998e-45cb-989b-eca0383684f5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAFHIJDHDG.exe"
C:\Users\AdminCAFHIJDHDG.exe
"C:\Users\AdminCAFHIJDHDG.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFIEBKEHCA.exe"
C:\Users\AdminCFIEBKEHCA.exe
"C:\Users\AdminCFIEBKEHCA.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1284
C:\ProgramData\FBGHIIJDGH.exe
"C:\ProgramData\FBGHIIJDGH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\GDBAKKKFBG.exe
"C:\ProgramData\GDBAKKKFBG.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1144
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1268
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFCBAEHCAEGD" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zRSEpqfcCxtm.zRSEpqfcCxtm | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| RU | 176.111.174.109:80 | 176.111.174.109 | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 8.8.8.8:53 | prodesarrolloapurimac.pe | udp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| CA | 51.222.104.23:80 | prodesarrolloapurimac.pe | tcp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.98:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.98:443 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | youtransfer.net | udp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.75.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.174.111.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| CA | 158.69.225.124:443 | youtransfer.net | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 124.225.69.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| CA | 51.222.104.23:443 | prodesarrolloapurimac.pe | tcp |
| US | 20.231.121.79:80 | tcp | |
| DE | 92.246.139.82:80 | tcp | |
| DE | 77.105.164.24:50505 | tcp | |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 188.114.97.9:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.164.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.220.75.5.in-addr.arpa | udp |
| DE | 147.45.47.36:30035 | tcp | |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.47.45.147.in-addr.arpa | udp |
| NL | 193.176.190.41:80 | 193.176.190.41 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 188.114.97.9:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | cajgtus.com | udp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 41.190.176.193.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| AR | 186.123.165.48:80 | cajgtus.com | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.165.123.186.in-addr.arpa | udp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 182.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.208.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| DE | 5.75.220.8:443 | 5.75.220.8 | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 5.75.220.8:443 | tcp | |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| DE | 5.75.220.8:443 | tcp | |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| RU | 45.132.206.251:80 | gacan.zapto.org | tcp |
| US | 8.8.8.8:53 | 251.206.132.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| US | 8.8.8.8:53 | 32.113.50.184.in-addr.arpa | udp |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| DE | 5.75.220.8:443 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Expectations
| MD5 | 3281bcef02057c7c42ffc446180035d9 |
| SHA1 | b6f03015126215d02e2e0a299af9822df7080a0b |
| SHA256 | a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713 |
| SHA512 | 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c |
C:\Users\Admin\AppData\Local\Temp\Voluntary
| MD5 | f9eb00df5045603dcd9bd10c9c2de5a6 |
| SHA1 | ec9430633bd4833a58c4d5cabdb4bd39115c3fee |
| SHA256 | f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca |
| SHA512 | 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402 |
C:\Users\Admin\AppData\Local\Temp\Convicted
| MD5 | 756ebe860d35cf35959526d533e1547b |
| SHA1 | d739e66da9e6cea11d1df535210ad0dbf1bab2ea |
| SHA256 | f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659 |
| SHA512 | 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650 |
C:\Users\Admin\AppData\Local\Temp\Festival
| MD5 | b7ad3cbdf401b3c7267cfc9711574142 |
| SHA1 | e7a0ceb17efd4038a20865e496bd4a5ba19fd77c |
| SHA256 | 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78 |
| SHA512 | 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe |
C:\Users\Admin\AppData\Local\Temp\Row
| MD5 | bf39dfa471c242ee0ce4c1010af5854f |
| SHA1 | 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9 |
| SHA256 | fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e |
| SHA512 | bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3 |
C:\Users\Admin\AppData\Local\Temp\Seven
| MD5 | 2edee24053811c6808c917363e0a36b1 |
| SHA1 | 67335e45423653ceb25fda916f03906c7809ead2 |
| SHA256 | 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030 |
| SHA512 | b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38 |
C:\Users\Admin\AppData\Local\Temp\Author
| MD5 | ff664f8979f694400b1973a4c9090640 |
| SHA1 | 1f14c9bfec66926d43f9fcae51a531af3a1d95c3 |
| SHA256 | 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355 |
| SHA512 | 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa |
C:\Users\Admin\AppData\Local\Temp\Affecting
| MD5 | 3f0c844167b93ec7fd2697de91790c4b |
| SHA1 | 81e9e8c129ef264c7981c49be22fc4f41e504c76 |
| SHA256 | 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556 |
| SHA512 | 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4 |
C:\Users\Admin\AppData\Local\Temp\Jersey
| MD5 | 25f618dcd9a958e79913ec30f89f30c9 |
| SHA1 | 52ce81a9f0d13373257382c67633b3726cd0e919 |
| SHA256 | 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12 |
| SHA512 | c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f |
C:\Users\Admin\AppData\Local\Temp\Explanation
| MD5 | 1570a1bee5b357710cc74f60ce825c22 |
| SHA1 | c515aeca6d025d65dc191a31755e87f54092acc5 |
| SHA256 | bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae |
| SHA512 | cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726 |
C:\Users\Admin\AppData\Local\Temp\Reductions
| MD5 | d203f6393a3903aa4d01f3f7f8fbdca1 |
| SHA1 | de0f58ca1f059366d86bfeb1ce91c44b60898bc9 |
| SHA256 | 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd |
| SHA512 | 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87 |
C:\Users\Admin\AppData\Local\Temp\Monte
| MD5 | 5052be6a36baef4bc80fc0a25377991f |
| SHA1 | f4d4d1226128ff8b76a2ff07cddb00132025da58 |
| SHA256 | deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952 |
| SHA512 | d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5 |
C:\Users\Admin\AppData\Local\Temp\Nissan
| MD5 | 4c1bf2e085c8294fdca893a02a568d67 |
| SHA1 | f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375 |
| SHA256 | cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891 |
| SHA512 | 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4 |
C:\Users\Admin\AppData\Local\Temp\Download
| MD5 | e62c9797d10a365321d928e89954a5be |
| SHA1 | 612831de5d1cf5ebd90101617d78411cd5571e98 |
| SHA256 | 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03 |
| SHA512 | 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0 |
C:\Users\Admin\AppData\Local\Temp\Complicated
| MD5 | 6762d4e94c1b03d2c784c5fcc6078641 |
| SHA1 | 3b1b5041616acacd1a3f2af9206dfb8836cbed8c |
| SHA256 | 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e |
| SHA512 | 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2 |
C:\Users\Admin\AppData\Local\Temp\Challenge
| MD5 | 537268e78ee12bfbcc243c56a7d496fc |
| SHA1 | 0dfc9eccbddc26e4ae99349cbbabeff3319328ec |
| SHA256 | 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee |
| SHA512 | 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3 |
C:\Users\Admin\AppData\Local\Temp\Diet
| MD5 | 7430584ab5031bd1784772da8a706f6e |
| SHA1 | c299c3785cc742b5d224a500048230320b83eea3 |
| SHA256 | ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2 |
| SHA512 | 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4 |
C:\Users\Admin\AppData\Local\Temp\Cinema
| MD5 | 65570d0c36a8df76f5f0f290652d8832 |
| SHA1 | bc5e984dbb5045c6b3ff0e507fe2145644824430 |
| SHA256 | 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670 |
| SHA512 | caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a |
C:\Users\Admin\AppData\Local\Temp\Rescue
| MD5 | 6b5b55e3f833053ac81fe00f0e0808f7 |
| SHA1 | 8334f3338966eed623ab0bce20d3a52c417ee4a9 |
| SHA256 | 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6 |
| SHA512 | c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98 |
C:\Users\Admin\AppData\Local\Temp\Military
| MD5 | 7ae74abe58a6e55d07374af9c912645f |
| SHA1 | ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3 |
| SHA256 | b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8 |
| SHA512 | 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3 |
C:\Users\Admin\AppData\Local\Temp\Modifications
| MD5 | ef01a057cc8722790ca29a4ebaa97d06 |
| SHA1 | a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc |
| SHA256 | 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c |
| SHA512 | 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e |
C:\Users\Admin\AppData\Local\Temp\Html
| MD5 | 60ac1993c088722394ffe200673bb477 |
| SHA1 | 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c |
| SHA256 | ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95 |
| SHA512 | 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98 |
C:\Users\Admin\AppData\Local\Temp\Lucy
| MD5 | 1e19f8b5a5df8835b2c08291a28e2096 |
| SHA1 | a2573e83e5d52d4c30fad472131f75c73c666651 |
| SHA256 | 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba |
| SHA512 | 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94 |
C:\Users\Admin\AppData\Local\Temp\Chicken
| MD5 | 20105d875df6d6c0a9a393613822417f |
| SHA1 | 36eea2d5499ab0a814f6352f5adfe0e5941fd221 |
| SHA256 | ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43 |
| SHA512 | 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff |
C:\Users\Admin\AppData\Local\Temp\Savage
| MD5 | fb541151b9390f68c6c2401afc2d99c7 |
| SHA1 | a31a9d485725a9f86a1867f4f81a58d891a89738 |
| SHA256 | ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f |
| SHA512 | 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0 |
C:\Users\Admin\AppData\Local\Temp\Lady
| MD5 | 543168f1d78f27bc1e0a01a41fa841e8 |
| SHA1 | 3adfd6f137aae243f115727ff34aef34ec4937d2 |
| SHA256 | 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21 |
| SHA512 | 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1 |
C:\Users\Admin\AppData\Local\Temp\Live
| MD5 | 376e677f9a5afdf14a709ae45b3ac489 |
| SHA1 | 12fcde474c530ae35dbd410374b811c3eeb69dbe |
| SHA256 | 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a |
| SHA512 | bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8 |
C:\Users\Admin\AppData\Local\Temp\Chester
| MD5 | 725acfd693506370739de020e9a887f5 |
| SHA1 | 45649e96847f624b50ed75515922c1db47fc05da |
| SHA256 | b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84 |
| SHA512 | 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a |
C:\Users\Admin\AppData\Local\Temp\Rise
| MD5 | 396d0835e6878f2a72c2104950e072b4 |
| SHA1 | 27750a5a4cc755abbda70173bad00e7b9d5d7fee |
| SHA256 | b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a |
| SHA512 | 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7 |
C:\Users\Admin\AppData\Local\Temp\Massive
| MD5 | a980747d497a8ee2ae7004c77f90733b |
| SHA1 | 68a73778039a85f26ae490bb1a53cf6f7f606d09 |
| SHA256 | 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609 |
| SHA512 | f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b |
C:\Users\Admin\AppData\Local\Temp\Behavioral
| MD5 | ebe4b07bfed724aa5becd78901a6fe27 |
| SHA1 | 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7 |
| SHA256 | 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e |
| SHA512 | 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c |
C:\Users\Admin\AppData\Local\Temp\Duplicate
| MD5 | 3bcc0c3847c9a8e1699947169eecb998 |
| SHA1 | 9eebb699415d3166209f3b3fb86664911aab576d |
| SHA256 | 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f |
| SHA512 | 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db |
C:\Users\Admin\AppData\Local\Temp\Si
| MD5 | 718c0e812f72e5bcbec91397f65a077d |
| SHA1 | 76068ad0af77a48d664e4b36133f17649b818648 |
| SHA256 | 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860 |
| SHA512 | c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc |
C:\Users\Admin\AppData\Local\Temp\Features
| MD5 | d745691d6cb303d913e41ce5e4b58c7c |
| SHA1 | 4d650125002e80e9134f13a50d517371ebb75690 |
| SHA256 | 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8 |
| SHA512 | 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb |
C:\Users\Admin\AppData\Local\Temp\Blogger
| MD5 | 378485e10e236ff814d839659433f06d |
| SHA1 | 5ae0565d277f6e85f58c8607d0b34db0a416025b |
| SHA256 | aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245 |
| SHA512 | e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad |
C:\Users\Admin\AppData\Local\Temp\Holy
| MD5 | 2d96b5acce1dec9f12612c247afd1863 |
| SHA1 | 86a7951ea9243849382c4201407f2def3bc3c04e |
| SHA256 | 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035 |
| SHA512 | 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563 |
C:\Users\Admin\AppData\Local\Temp\Signing
| MD5 | 13d7a9bf7a6a8ad1d7786ae78a0499ae |
| SHA1 | d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288 |
| SHA256 | 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8 |
| SHA512 | 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411 |
C:\Users\Admin\AppData\Local\Temp\Highlighted
| MD5 | 64b4546e5c30703ec09d37d7b580a5f8 |
| SHA1 | 32bd68a136801200bc147cfc4e554d63ceb35e80 |
| SHA256 | bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328 |
| SHA512 | a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67 |
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\57839\j
| MD5 | 6f2a4dfc60f72b9025b045544856516d |
| SHA1 | 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3 |
| SHA256 | dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea |
| SHA512 | afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9 |
memory/4884-84-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-85-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-87-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-91-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-92-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-101-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-100-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-99-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-98-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-96-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-95-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-94-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-93-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-90-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-89-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-102-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-97-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-88-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-106-0x0000000000C00000-0x0000000000DE0000-memory.dmp
C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
| MD5 | 887e72b4cb2377696debda89a72d02cf |
| SHA1 | 1ff82934834b67f53bd8b1daa73509fe2fe81d82 |
| SHA256 | 45d0fe6264411334fe1045efebd8f394ebb84495ef194320d46168e10a849b2b |
| SHA512 | 12718b2ad234e7a80b95be46cb47cf5dacc914b5082e715125b479a3e856d0665005c0629cda5efc9fb3e71561d5fa059f50762d9de017537ab0880a48e6ef15 |
C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
| MD5 | 404b53e64579f603d9ef29eba5bdc173 |
| SHA1 | 96bac004043f3e9ec246eec235d849de4cec8061 |
| SHA256 | c9d8ae512980ed05e16b701c029c18276542cb837dae9f819b940fb4a23a6237 |
| SHA512 | b9e13178d744ea919e08360a0e5c3f024c85261cd8a4673b4f5df4b59c670fa63a08d949f33d4d95f51f6c379b78a83880c6eef4020887bf361ba4e833cf7e17 |
C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
| MD5 | 9d1e5520a634731ed9747be9e9af7c5d |
| SHA1 | 6bc547c7e26073f71be0017e29c8702ddea2fc11 |
| SHA256 | 90c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36 |
| SHA512 | 3cc597e4b451252361707740fe58ea18ff8734a9adad48458760518d1828beb55bd0ddb080daf7c1a29cda462b7cabab3c3829fc5c811b1d3069a5d507b7cbaa |
C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
| MD5 | 7972b08246e568495d9d116fc2d0b159 |
| SHA1 | 3e12225494f08369858453fd9fc7481b4f788165 |
| SHA256 | 2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84 |
| SHA512 | f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7 |
C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe
| MD5 | e81c71d0c270fa8d67b4ec8b1e968479 |
| SHA1 | bf33b5e1b7b694909de07a3447f84362fa766600 |
| SHA256 | d92729a5a6186ae6dc688de6b0c3774c43f7788f50c09a3373306fa553750691 |
| SHA512 | 72298ce9e81a84c878a1eba30d1acad2d0d04567b0081ec7593fce17082a4aae8c0ac28bd4cf7943e55fecb61737fb8a3df5b0edebe79e6582846ec5d5a51af4 |
C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe
| MD5 | 446e93ad377c766b423ca427cd0290b3 |
| SHA1 | ab01cadbf1fa2737d833b41211032269c7c02097 |
| SHA256 | bb89dd19fdfdcb9bffb1119abbcbd78fc5401e070040937990dcaf1bbae96716 |
| SHA512 | 4c36afaf4acf4bd3d1aee367968a58d8253a43664ed3f8e8bdc1aa9ea9f3bbfdc0b6ca68d1d6a0003d542a2c8a3e68acca1e753bfedbef27e20e0ad6831e9275 |
C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
| MD5 | 22e3086fa71d9cc3418a00372ef05ff8 |
| SHA1 | 97dbc4e6cd4d5c40379ab5fc67a9c690f0bf48dd |
| SHA256 | 52caacc4df11ab50c9cc0cac8715d046312167c6e6a2b2f5a756f1979ae2db86 |
| SHA512 | f41724beb373db7ff2e2f20e883a316e57a4e70c0809629583fc253f88fa211a5eadc3788a5747fb8353bb3237d3234dce2593dde27b40f12520d23b58dad738 |
C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
| MD5 | 67a51322cbb161374023771f2fa9c1d5 |
| SHA1 | 0162a4171c983605374a295a57a7ba6a58622ff5 |
| SHA256 | ef7e913e51b970193a61248fccf25fa32f9efbdc82953ca0850d9607e87cdd68 |
| SHA512 | 71e4962d123a21d763a6d88899c35df1f7a0712bd33995fd61e548deb4d1d2c135000330d5f2dd843c69cd8f92c42295c9e0f2c2a288a4f3c81496e83a837ce1 |
C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe
| MD5 | d8ecb462d3046a0ee172551c5d505c8e |
| SHA1 | 54f9e16b497579964e9afc90c3c0c208f16b4418 |
| SHA256 | afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f |
| SHA512 | 9eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e |
C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
| MD5 | 865adfa302bfc57219c6541aebbfa1c9 |
| SHA1 | aeeb2cdc6cdd99705094904fdf65f52910e8fb89 |
| SHA256 | de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c |
| SHA512 | fb6a9dd9d66013e2274adca885b3d0f038aa14cf4a64bac2140203ff72d2091e71c6929d3748af6e999c9b1c95098036489568ac8c40032bc819d917a4e87b38 |
C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
| MD5 | ab68db6a238464a75b669938a3512ae1 |
| SHA1 | 48a7e2ed179d29d783d55fe610598474825bdf95 |
| SHA256 | 86bb9a397e62d756578dbe6c40cc07050f2066db6fb5d54499e03469a7cdccd5 |
| SHA512 | b811a8f5d3d2fab469a97a9a0d59d6b132b4fecbc7048dd203d25c938e7047b487e9a85799f8d9b04c0e01f307f3ff1bd0c3af967a8813c3ab0d72c69650364c |
C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
memory/4884-220-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-222-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-229-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-231-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-255-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/692-273-0x0000000000A90000-0x0000000001104000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp
| MD5 | ca83418803bb9d01b1c9f4b296a24f66 |
| SHA1 | c1d2bb6630a65a20758491b2c02a2fd743f30e58 |
| SHA256 | c6521855ab827e14b1cbe8fcd21617701667c99a721fa32a9d0e3e145575562e |
| SHA512 | 916ed009e9f838ceae0a298799013a18218d11643e351a3e7eb0aeba390b712e051612cd75f9d5f51158d8d682b63087c11085b82f987970a16bfdea70de12e1 |
memory/4672-276-0x0000000000060000-0x0000000000352000-memory.dmp
memory/4672-278-0x0000000004C10000-0x0000000004CAC000-memory.dmp
memory/2100-291-0x00000000051B0000-0x00000000052E6000-memory.dmp
memory/4460-300-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4672-302-0x0000000005660000-0x0000000005B5E000-memory.dmp
memory/4672-303-0x0000000004B50000-0x0000000004B72000-memory.dmp
memory/4460-299-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4672-298-0x0000000004FC0000-0x000000000515E000-memory.dmp
memory/3760-296-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3760-294-0x0000000000400000-0x0000000000643000-memory.dmp
memory/4672-293-0x0000000004DE0000-0x0000000004F80000-memory.dmp
memory/2100-292-0x0000000005010000-0x0000000005032000-memory.dmp
memory/4504-277-0x0000000000150000-0x0000000000188000-memory.dmp
memory/2100-275-0x0000000000480000-0x00000000007D6000-memory.dmp
memory/4884-253-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-251-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-249-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-244-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-257-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4872-235-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4884-247-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-227-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-242-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/4884-225-0x0000000000C00000-0x0000000000DE0000-memory.dmp
memory/792-307-0x00007FFB52380000-0x00007FFB52382000-memory.dmp
memory/1568-306-0x0000000000400000-0x0000000000490000-memory.dmp
memory/792-311-0x0000000140000000-0x0000000141999000-memory.dmp
memory/1568-305-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1496-320-0x0000000000520000-0x00000000005A8000-memory.dmp
memory/4388-319-0x0000000000CF0000-0x0000000000D44000-memory.dmp
memory/1100-325-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1100-330-0x0000000005110000-0x00000000051A2000-memory.dmp
memory/4488-331-0x0000000000400000-0x0000000000657000-memory.dmp
memory/4488-335-0x0000000000400000-0x0000000000657000-memory.dmp
memory/1100-338-0x00000000050E0000-0x00000000050EA000-memory.dmp
memory/4488-334-0x0000000000400000-0x0000000000657000-memory.dmp
memory/1336-327-0x0000000000400000-0x0000000000486000-memory.dmp
memory/4284-322-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2260-321-0x0000000000080000-0x00000000000CA000-memory.dmp
memory/4284-315-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1568-304-0x0000000000400000-0x0000000000490000-memory.dmp
memory/692-355-0x0000000000A90000-0x0000000001104000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF67.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1100-356-0x0000000005D30000-0x0000000005DA6000-memory.dmp
memory/1100-358-0x0000000006390000-0x00000000063AE000-memory.dmp
memory/1100-369-0x00000000069C0000-0x0000000006FC6000-memory.dmp
memory/1100-378-0x0000000006530000-0x000000000663A000-memory.dmp
memory/1100-380-0x0000000006460000-0x0000000006472000-memory.dmp
memory/1100-381-0x00000000064C0000-0x00000000064FE000-memory.dmp
memory/1100-383-0x0000000006640000-0x000000000668B000-memory.dmp
memory/4284-384-0x0000000000400000-0x0000000000537000-memory.dmp
memory/200-390-0x0000000000400000-0x0000000000537000-memory.dmp
memory/200-394-0x0000000000400000-0x0000000000537000-memory.dmp
memory/200-393-0x0000000000400000-0x0000000000537000-memory.dmp
memory/200-395-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3760-396-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1336-408-0x0000000009260000-0x00000000092C6000-memory.dmp
memory/1336-410-0x000000000A090000-0x000000000A252000-memory.dmp
memory/1336-411-0x000000000A790000-0x000000000ACBC000-memory.dmp
memory/1100-439-0x0000000006960000-0x00000000069B0000-memory.dmp
C:\ProgramData\JJECGHJD
| MD5 | 3daad470df391b2f80f1355a73f49b47 |
| SHA1 | fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec |
| SHA256 | a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08 |
| SHA512 | a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a |
C:\ProgramData\BAKFCBFHJDHJKECAKEHI
| MD5 | c23c5b4d8fa0bfbb265b6ab72042d4b5 |
| SHA1 | 96e8e7ccda26c5119fb13dc8ee64e1ece272bd85 |
| SHA256 | 5961ef4ca18f28c8c26b80cbcb3f4f8c20647e41111402012a25c8910c48db02 |
| SHA512 | 39f7dc6f603472160f3fe0be3e1a6f2d32351690e040246753f4e57de9a8b2521dd8f31c200a9b4d9501139471417500d275be140b058136f94ee0dc501a660a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminCAFHIJDHDG.exe.log
| MD5 | 605f809fab8c19729d39d075f7ffdb53 |
| SHA1 | c546f877c9bd53563174a90312a8337fdfc5fdd9 |
| SHA256 | 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556 |
| SHA512 | 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3 |
memory/4900-539-0x0000000000F70000-0x0000000000FC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQ5JVXBW\66d5ddc254656_lfem[1].exe
| MD5 | 24b1ff1f8ba8c5e20613a652b7ddcafb |
| SHA1 | 48cb72e8fb1bb1d586ccde26de74154130d2b219 |
| SHA256 | c45735085c630196f711708160c78f204d8fa3fd36dc7c49cfc039442ae4c9d7 |
| SHA512 | d277a6a0830dabc5b7d535f3d84c948a70ae3fd9a16948b55ccd69340726390f6346c91098c0a48d8f40cb76a83299fcfccf92b59675f36692b8537bbd720c8c |
C:\ProgramData\KJEBKJDAFHJD\JKKKJJ
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\KJEBKJDAFHJD\KECFCG
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\ProgramData\IIJEBFCFIJJJ\BAAAKJ
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-02 16:01
Reported
2024-09-02 16:09
Platform
win7-20240729-en
Max time kernel
239s
Max time network
243s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2084 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SurelyCabin | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\NotreNr | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SpectrumNext | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\StayOperating | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\BrokerBaby | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 57839
C:\Windows\SysWOW64\findstr.exe
findstr /V "ComicHoRecruitingHabits" Voluntary
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Crash.pif j
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zRSEpqfcCxtm.zRSEpqfcCxtm | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Expectations
| MD5 | 3281bcef02057c7c42ffc446180035d9 |
| SHA1 | b6f03015126215d02e2e0a299af9822df7080a0b |
| SHA256 | a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713 |
| SHA512 | 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c |
C:\Users\Admin\AppData\Local\Temp\Voluntary
| MD5 | f9eb00df5045603dcd9bd10c9c2de5a6 |
| SHA1 | ec9430633bd4833a58c4d5cabdb4bd39115c3fee |
| SHA256 | f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca |
| SHA512 | 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402 |
C:\Users\Admin\AppData\Local\Temp\Convicted
| MD5 | 756ebe860d35cf35959526d533e1547b |
| SHA1 | d739e66da9e6cea11d1df535210ad0dbf1bab2ea |
| SHA256 | f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659 |
| SHA512 | 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650 |
C:\Users\Admin\AppData\Local\Temp\Festival
| MD5 | b7ad3cbdf401b3c7267cfc9711574142 |
| SHA1 | e7a0ceb17efd4038a20865e496bd4a5ba19fd77c |
| SHA256 | 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78 |
| SHA512 | 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe |
C:\Users\Admin\AppData\Local\Temp\Row
| MD5 | bf39dfa471c242ee0ce4c1010af5854f |
| SHA1 | 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9 |
| SHA256 | fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e |
| SHA512 | bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3 |
C:\Users\Admin\AppData\Local\Temp\Seven
| MD5 | 2edee24053811c6808c917363e0a36b1 |
| SHA1 | 67335e45423653ceb25fda916f03906c7809ead2 |
| SHA256 | 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030 |
| SHA512 | b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38 |
C:\Users\Admin\AppData\Local\Temp\Author
| MD5 | ff664f8979f694400b1973a4c9090640 |
| SHA1 | 1f14c9bfec66926d43f9fcae51a531af3a1d95c3 |
| SHA256 | 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355 |
| SHA512 | 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa |
C:\Users\Admin\AppData\Local\Temp\Jersey
| MD5 | 25f618dcd9a958e79913ec30f89f30c9 |
| SHA1 | 52ce81a9f0d13373257382c67633b3726cd0e919 |
| SHA256 | 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12 |
| SHA512 | c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f |
C:\Users\Admin\AppData\Local\Temp\Affecting
| MD5 | 3f0c844167b93ec7fd2697de91790c4b |
| SHA1 | 81e9e8c129ef264c7981c49be22fc4f41e504c76 |
| SHA256 | 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556 |
| SHA512 | 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4 |
C:\Users\Admin\AppData\Local\Temp\Explanation
| MD5 | 1570a1bee5b357710cc74f60ce825c22 |
| SHA1 | c515aeca6d025d65dc191a31755e87f54092acc5 |
| SHA256 | bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae |
| SHA512 | cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726 |
C:\Users\Admin\AppData\Local\Temp\Reductions
| MD5 | d203f6393a3903aa4d01f3f7f8fbdca1 |
| SHA1 | de0f58ca1f059366d86bfeb1ce91c44b60898bc9 |
| SHA256 | 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd |
| SHA512 | 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87 |
C:\Users\Admin\AppData\Local\Temp\Monte
| MD5 | 5052be6a36baef4bc80fc0a25377991f |
| SHA1 | f4d4d1226128ff8b76a2ff07cddb00132025da58 |
| SHA256 | deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952 |
| SHA512 | d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5 |
C:\Users\Admin\AppData\Local\Temp\Nissan
| MD5 | 4c1bf2e085c8294fdca893a02a568d67 |
| SHA1 | f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375 |
| SHA256 | cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891 |
| SHA512 | 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4 |
C:\Users\Admin\AppData\Local\Temp\Download
| MD5 | e62c9797d10a365321d928e89954a5be |
| SHA1 | 612831de5d1cf5ebd90101617d78411cd5571e98 |
| SHA256 | 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03 |
| SHA512 | 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0 |
C:\Users\Admin\AppData\Local\Temp\Complicated
| MD5 | 6762d4e94c1b03d2c784c5fcc6078641 |
| SHA1 | 3b1b5041616acacd1a3f2af9206dfb8836cbed8c |
| SHA256 | 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e |
| SHA512 | 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2 |
C:\Users\Admin\AppData\Local\Temp\Challenge
| MD5 | 537268e78ee12bfbcc243c56a7d496fc |
| SHA1 | 0dfc9eccbddc26e4ae99349cbbabeff3319328ec |
| SHA256 | 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee |
| SHA512 | 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3 |
C:\Users\Admin\AppData\Local\Temp\Diet
| MD5 | 7430584ab5031bd1784772da8a706f6e |
| SHA1 | c299c3785cc742b5d224a500048230320b83eea3 |
| SHA256 | ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2 |
| SHA512 | 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4 |
C:\Users\Admin\AppData\Local\Temp\Cinema
| MD5 | 65570d0c36a8df76f5f0f290652d8832 |
| SHA1 | bc5e984dbb5045c6b3ff0e507fe2145644824430 |
| SHA256 | 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670 |
| SHA512 | caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a |
C:\Users\Admin\AppData\Local\Temp\Rescue
| MD5 | 6b5b55e3f833053ac81fe00f0e0808f7 |
| SHA1 | 8334f3338966eed623ab0bce20d3a52c417ee4a9 |
| SHA256 | 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6 |
| SHA512 | c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98 |
C:\Users\Admin\AppData\Local\Temp\Military
| MD5 | 7ae74abe58a6e55d07374af9c912645f |
| SHA1 | ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3 |
| SHA256 | b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8 |
| SHA512 | 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3 |
C:\Users\Admin\AppData\Local\Temp\Chicken
| MD5 | 20105d875df6d6c0a9a393613822417f |
| SHA1 | 36eea2d5499ab0a814f6352f5adfe0e5941fd221 |
| SHA256 | ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43 |
| SHA512 | 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff |
C:\Users\Admin\AppData\Local\Temp\Lucy
| MD5 | 1e19f8b5a5df8835b2c08291a28e2096 |
| SHA1 | a2573e83e5d52d4c30fad472131f75c73c666651 |
| SHA256 | 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba |
| SHA512 | 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94 |
C:\Users\Admin\AppData\Local\Temp\Html
| MD5 | 60ac1993c088722394ffe200673bb477 |
| SHA1 | 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c |
| SHA256 | ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95 |
| SHA512 | 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98 |
C:\Users\Admin\AppData\Local\Temp\Modifications
| MD5 | ef01a057cc8722790ca29a4ebaa97d06 |
| SHA1 | a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc |
| SHA256 | 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c |
| SHA512 | 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e |
C:\Users\Admin\AppData\Local\Temp\Savage
| MD5 | fb541151b9390f68c6c2401afc2d99c7 |
| SHA1 | a31a9d485725a9f86a1867f4f81a58d891a89738 |
| SHA256 | ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f |
| SHA512 | 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0 |
C:\Users\Admin\AppData\Local\Temp\Rise
| MD5 | 396d0835e6878f2a72c2104950e072b4 |
| SHA1 | 27750a5a4cc755abbda70173bad00e7b9d5d7fee |
| SHA256 | b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a |
| SHA512 | 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7 |
C:\Users\Admin\AppData\Local\Temp\Lady
| MD5 | 543168f1d78f27bc1e0a01a41fa841e8 |
| SHA1 | 3adfd6f137aae243f115727ff34aef34ec4937d2 |
| SHA256 | 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21 |
| SHA512 | 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1 |
C:\Users\Admin\AppData\Local\Temp\Live
| MD5 | 376e677f9a5afdf14a709ae45b3ac489 |
| SHA1 | 12fcde474c530ae35dbd410374b811c3eeb69dbe |
| SHA256 | 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a |
| SHA512 | bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8 |
C:\Users\Admin\AppData\Local\Temp\Chester
| MD5 | 725acfd693506370739de020e9a887f5 |
| SHA1 | 45649e96847f624b50ed75515922c1db47fc05da |
| SHA256 | b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84 |
| SHA512 | 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a |
C:\Users\Admin\AppData\Local\Temp\Massive
| MD5 | a980747d497a8ee2ae7004c77f90733b |
| SHA1 | 68a73778039a85f26ae490bb1a53cf6f7f606d09 |
| SHA256 | 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609 |
| SHA512 | f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b |
C:\Users\Admin\AppData\Local\Temp\Behavioral
| MD5 | ebe4b07bfed724aa5becd78901a6fe27 |
| SHA1 | 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7 |
| SHA256 | 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e |
| SHA512 | 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c |
C:\Users\Admin\AppData\Local\Temp\Duplicate
| MD5 | 3bcc0c3847c9a8e1699947169eecb998 |
| SHA1 | 9eebb699415d3166209f3b3fb86664911aab576d |
| SHA256 | 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f |
| SHA512 | 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db |
C:\Users\Admin\AppData\Local\Temp\Features
| MD5 | d745691d6cb303d913e41ce5e4b58c7c |
| SHA1 | 4d650125002e80e9134f13a50d517371ebb75690 |
| SHA256 | 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8 |
| SHA512 | 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb |
C:\Users\Admin\AppData\Local\Temp\Si
| MD5 | 718c0e812f72e5bcbec91397f65a077d |
| SHA1 | 76068ad0af77a48d664e4b36133f17649b818648 |
| SHA256 | 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860 |
| SHA512 | c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc |
C:\Users\Admin\AppData\Local\Temp\Blogger
| MD5 | 378485e10e236ff814d839659433f06d |
| SHA1 | 5ae0565d277f6e85f58c8607d0b34db0a416025b |
| SHA256 | aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245 |
| SHA512 | e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad |
C:\Users\Admin\AppData\Local\Temp\Holy
| MD5 | 2d96b5acce1dec9f12612c247afd1863 |
| SHA1 | 86a7951ea9243849382c4201407f2def3bc3c04e |
| SHA256 | 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035 |
| SHA512 | 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563 |
C:\Users\Admin\AppData\Local\Temp\Signing
| MD5 | 13d7a9bf7a6a8ad1d7786ae78a0499ae |
| SHA1 | d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288 |
| SHA256 | 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8 |
| SHA512 | 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411 |
C:\Users\Admin\AppData\Local\Temp\Highlighted
| MD5 | 64b4546e5c30703ec09d37d7b580a5f8 |
| SHA1 | 32bd68a136801200bc147cfc4e554d63ceb35e80 |
| SHA256 | bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328 |
| SHA512 | a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67 |
\Users\Admin\AppData\Local\Temp\57839\Crash.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\57839\j
| MD5 | 6f2a4dfc60f72b9025b045544856516d |
| SHA1 | 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3 |
| SHA256 | dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea |
| SHA512 | afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9 |
memory/2696-87-0x0000000000610000-0x00000000007F0000-memory.dmp
memory/2696-88-0x0000000000610000-0x00000000007F0000-memory.dmp
memory/2696-90-0x0000000000610000-0x00000000007F0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-02 16:01
Reported
2024-09-02 16:09
Platform
win10v2004-20240802-en
Max time kernel
124s
Max time network
176s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2184 set thread context of 4512 | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SurelyCabin | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\NotreNr | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SpectrumNext | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\StayOperating | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\BrokerBaby | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 57839
C:\Windows\SysWOW64\findstr.exe
findstr /V "ComicHoRecruitingHabits" Voluntary
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Crash.pif j
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zRSEpqfcCxtm.zRSEpqfcCxtm | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.139.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Expectations
| MD5 | 3281bcef02057c7c42ffc446180035d9 |
| SHA1 | b6f03015126215d02e2e0a299af9822df7080a0b |
| SHA256 | a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713 |
| SHA512 | 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c |
C:\Users\Admin\AppData\Local\Temp\Voluntary
| MD5 | f9eb00df5045603dcd9bd10c9c2de5a6 |
| SHA1 | ec9430633bd4833a58c4d5cabdb4bd39115c3fee |
| SHA256 | f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca |
| SHA512 | 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402 |
C:\Users\Admin\AppData\Local\Temp\Convicted
| MD5 | 756ebe860d35cf35959526d533e1547b |
| SHA1 | d739e66da9e6cea11d1df535210ad0dbf1bab2ea |
| SHA256 | f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659 |
| SHA512 | 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650 |
C:\Users\Admin\AppData\Local\Temp\Festival
| MD5 | b7ad3cbdf401b3c7267cfc9711574142 |
| SHA1 | e7a0ceb17efd4038a20865e496bd4a5ba19fd77c |
| SHA256 | 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78 |
| SHA512 | 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe |
C:\Users\Admin\AppData\Local\Temp\Row
| MD5 | bf39dfa471c242ee0ce4c1010af5854f |
| SHA1 | 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9 |
| SHA256 | fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e |
| SHA512 | bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3 |
C:\Users\Admin\AppData\Local\Temp\Seven
| MD5 | 2edee24053811c6808c917363e0a36b1 |
| SHA1 | 67335e45423653ceb25fda916f03906c7809ead2 |
| SHA256 | 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030 |
| SHA512 | b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38 |
C:\Users\Admin\AppData\Local\Temp\Author
| MD5 | ff664f8979f694400b1973a4c9090640 |
| SHA1 | 1f14c9bfec66926d43f9fcae51a531af3a1d95c3 |
| SHA256 | 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355 |
| SHA512 | 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa |
C:\Users\Admin\AppData\Local\Temp\Jersey
| MD5 | 25f618dcd9a958e79913ec30f89f30c9 |
| SHA1 | 52ce81a9f0d13373257382c67633b3726cd0e919 |
| SHA256 | 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12 |
| SHA512 | c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f |
C:\Users\Admin\AppData\Local\Temp\Affecting
| MD5 | 3f0c844167b93ec7fd2697de91790c4b |
| SHA1 | 81e9e8c129ef264c7981c49be22fc4f41e504c76 |
| SHA256 | 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556 |
| SHA512 | 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4 |
C:\Users\Admin\AppData\Local\Temp\Explanation
| MD5 | 1570a1bee5b357710cc74f60ce825c22 |
| SHA1 | c515aeca6d025d65dc191a31755e87f54092acc5 |
| SHA256 | bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae |
| SHA512 | cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726 |
C:\Users\Admin\AppData\Local\Temp\Reductions
| MD5 | d203f6393a3903aa4d01f3f7f8fbdca1 |
| SHA1 | de0f58ca1f059366d86bfeb1ce91c44b60898bc9 |
| SHA256 | 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd |
| SHA512 | 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87 |
C:\Users\Admin\AppData\Local\Temp\Monte
| MD5 | 5052be6a36baef4bc80fc0a25377991f |
| SHA1 | f4d4d1226128ff8b76a2ff07cddb00132025da58 |
| SHA256 | deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952 |
| SHA512 | d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5 |
C:\Users\Admin\AppData\Local\Temp\Nissan
| MD5 | 4c1bf2e085c8294fdca893a02a568d67 |
| SHA1 | f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375 |
| SHA256 | cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891 |
| SHA512 | 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4 |
C:\Users\Admin\AppData\Local\Temp\Download
| MD5 | e62c9797d10a365321d928e89954a5be |
| SHA1 | 612831de5d1cf5ebd90101617d78411cd5571e98 |
| SHA256 | 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03 |
| SHA512 | 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0 |
C:\Users\Admin\AppData\Local\Temp\Complicated
| MD5 | 6762d4e94c1b03d2c784c5fcc6078641 |
| SHA1 | 3b1b5041616acacd1a3f2af9206dfb8836cbed8c |
| SHA256 | 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e |
| SHA512 | 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2 |
C:\Users\Admin\AppData\Local\Temp\Challenge
| MD5 | 537268e78ee12bfbcc243c56a7d496fc |
| SHA1 | 0dfc9eccbddc26e4ae99349cbbabeff3319328ec |
| SHA256 | 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee |
| SHA512 | 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3 |
C:\Users\Admin\AppData\Local\Temp\Diet
| MD5 | 7430584ab5031bd1784772da8a706f6e |
| SHA1 | c299c3785cc742b5d224a500048230320b83eea3 |
| SHA256 | ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2 |
| SHA512 | 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4 |
C:\Users\Admin\AppData\Local\Temp\Cinema
| MD5 | 65570d0c36a8df76f5f0f290652d8832 |
| SHA1 | bc5e984dbb5045c6b3ff0e507fe2145644824430 |
| SHA256 | 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670 |
| SHA512 | caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a |
C:\Users\Admin\AppData\Local\Temp\Rescue
| MD5 | 6b5b55e3f833053ac81fe00f0e0808f7 |
| SHA1 | 8334f3338966eed623ab0bce20d3a52c417ee4a9 |
| SHA256 | 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6 |
| SHA512 | c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98 |
C:\Users\Admin\AppData\Local\Temp\Military
| MD5 | 7ae74abe58a6e55d07374af9c912645f |
| SHA1 | ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3 |
| SHA256 | b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8 |
| SHA512 | 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3 |
C:\Users\Admin\AppData\Local\Temp\Chicken
| MD5 | 20105d875df6d6c0a9a393613822417f |
| SHA1 | 36eea2d5499ab0a814f6352f5adfe0e5941fd221 |
| SHA256 | ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43 |
| SHA512 | 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff |
C:\Users\Admin\AppData\Local\Temp\Lucy
| MD5 | 1e19f8b5a5df8835b2c08291a28e2096 |
| SHA1 | a2573e83e5d52d4c30fad472131f75c73c666651 |
| SHA256 | 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba |
| SHA512 | 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94 |
C:\Users\Admin\AppData\Local\Temp\Html
| MD5 | 60ac1993c088722394ffe200673bb477 |
| SHA1 | 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c |
| SHA256 | ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95 |
| SHA512 | 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98 |
C:\Users\Admin\AppData\Local\Temp\Modifications
| MD5 | ef01a057cc8722790ca29a4ebaa97d06 |
| SHA1 | a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc |
| SHA256 | 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c |
| SHA512 | 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e |
C:\Users\Admin\AppData\Local\Temp\Savage
| MD5 | fb541151b9390f68c6c2401afc2d99c7 |
| SHA1 | a31a9d485725a9f86a1867f4f81a58d891a89738 |
| SHA256 | ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f |
| SHA512 | 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0 |
C:\Users\Admin\AppData\Local\Temp\Rise
| MD5 | 396d0835e6878f2a72c2104950e072b4 |
| SHA1 | 27750a5a4cc755abbda70173bad00e7b9d5d7fee |
| SHA256 | b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a |
| SHA512 | 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7 |
C:\Users\Admin\AppData\Local\Temp\Lady
| MD5 | 543168f1d78f27bc1e0a01a41fa841e8 |
| SHA1 | 3adfd6f137aae243f115727ff34aef34ec4937d2 |
| SHA256 | 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21 |
| SHA512 | 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1 |
C:\Users\Admin\AppData\Local\Temp\Live
| MD5 | 376e677f9a5afdf14a709ae45b3ac489 |
| SHA1 | 12fcde474c530ae35dbd410374b811c3eeb69dbe |
| SHA256 | 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a |
| SHA512 | bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8 |
C:\Users\Admin\AppData\Local\Temp\Chester
| MD5 | 725acfd693506370739de020e9a887f5 |
| SHA1 | 45649e96847f624b50ed75515922c1db47fc05da |
| SHA256 | b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84 |
| SHA512 | 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a |
C:\Users\Admin\AppData\Local\Temp\Massive
| MD5 | a980747d497a8ee2ae7004c77f90733b |
| SHA1 | 68a73778039a85f26ae490bb1a53cf6f7f606d09 |
| SHA256 | 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609 |
| SHA512 | f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b |
C:\Users\Admin\AppData\Local\Temp\Behavioral
| MD5 | ebe4b07bfed724aa5becd78901a6fe27 |
| SHA1 | 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7 |
| SHA256 | 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e |
| SHA512 | 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c |
C:\Users\Admin\AppData\Local\Temp\Duplicate
| MD5 | 3bcc0c3847c9a8e1699947169eecb998 |
| SHA1 | 9eebb699415d3166209f3b3fb86664911aab576d |
| SHA256 | 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f |
| SHA512 | 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db |
C:\Users\Admin\AppData\Local\Temp\Features
| MD5 | d745691d6cb303d913e41ce5e4b58c7c |
| SHA1 | 4d650125002e80e9134f13a50d517371ebb75690 |
| SHA256 | 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8 |
| SHA512 | 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb |
C:\Users\Admin\AppData\Local\Temp\Si
| MD5 | 718c0e812f72e5bcbec91397f65a077d |
| SHA1 | 76068ad0af77a48d664e4b36133f17649b818648 |
| SHA256 | 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860 |
| SHA512 | c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc |
C:\Users\Admin\AppData\Local\Temp\Holy
| MD5 | 2d96b5acce1dec9f12612c247afd1863 |
| SHA1 | 86a7951ea9243849382c4201407f2def3bc3c04e |
| SHA256 | 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035 |
| SHA512 | 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563 |
C:\Users\Admin\AppData\Local\Temp\Blogger
| MD5 | 378485e10e236ff814d839659433f06d |
| SHA1 | 5ae0565d277f6e85f58c8607d0b34db0a416025b |
| SHA256 | aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245 |
| SHA512 | e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad |
C:\Users\Admin\AppData\Local\Temp\Highlighted
| MD5 | 64b4546e5c30703ec09d37d7b580a5f8 |
| SHA1 | 32bd68a136801200bc147cfc4e554d63ceb35e80 |
| SHA256 | bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328 |
| SHA512 | a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67 |
C:\Users\Admin\AppData\Local\Temp\Signing
| MD5 | 13d7a9bf7a6a8ad1d7786ae78a0499ae |
| SHA1 | d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288 |
| SHA256 | 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8 |
| SHA512 | 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411 |
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\57839\j
| MD5 | 6f2a4dfc60f72b9025b045544856516d |
| SHA1 | 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3 |
| SHA256 | dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea |
| SHA512 | afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9 |
memory/4512-84-0x0000000001260000-0x0000000001440000-memory.dmp
memory/4512-85-0x0000000001260000-0x0000000001440000-memory.dmp
memory/4512-87-0x0000000001260000-0x0000000001440000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-02 16:01
Reported
2024-09-02 16:09
Platform
win11-20240802-en
Max time kernel
240s
Max time network
304s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 492 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\NotreNr | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SpectrumNext | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\StayOperating | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\BrokerBaby | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| File opened for modification | C:\Windows\SurelyCabin | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 57839
C:\Windows\SysWOW64\findstr.exe
findstr /V "ComicHoRecruitingHabits" Voluntary
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Crash.pif j
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zRSEpqfcCxtm.zRSEpqfcCxtm | udp |
| DE | 92.246.139.82:80 | 92.246.139.82 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Expectations
| MD5 | 3281bcef02057c7c42ffc446180035d9 |
| SHA1 | b6f03015126215d02e2e0a299af9822df7080a0b |
| SHA256 | a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713 |
| SHA512 | 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c |
C:\Users\Admin\AppData\Local\Temp\Voluntary
| MD5 | f9eb00df5045603dcd9bd10c9c2de5a6 |
| SHA1 | ec9430633bd4833a58c4d5cabdb4bd39115c3fee |
| SHA256 | f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca |
| SHA512 | 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402 |
C:\Users\Admin\AppData\Local\Temp\Convicted
| MD5 | 756ebe860d35cf35959526d533e1547b |
| SHA1 | d739e66da9e6cea11d1df535210ad0dbf1bab2ea |
| SHA256 | f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659 |
| SHA512 | 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650 |
C:\Users\Admin\AppData\Local\Temp\Festival
| MD5 | b7ad3cbdf401b3c7267cfc9711574142 |
| SHA1 | e7a0ceb17efd4038a20865e496bd4a5ba19fd77c |
| SHA256 | 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78 |
| SHA512 | 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe |
C:\Users\Admin\AppData\Local\Temp\Row
| MD5 | bf39dfa471c242ee0ce4c1010af5854f |
| SHA1 | 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9 |
| SHA256 | fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e |
| SHA512 | bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3 |
C:\Users\Admin\AppData\Local\Temp\Seven
| MD5 | 2edee24053811c6808c917363e0a36b1 |
| SHA1 | 67335e45423653ceb25fda916f03906c7809ead2 |
| SHA256 | 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030 |
| SHA512 | b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38 |
C:\Users\Admin\AppData\Local\Temp\Author
| MD5 | ff664f8979f694400b1973a4c9090640 |
| SHA1 | 1f14c9bfec66926d43f9fcae51a531af3a1d95c3 |
| SHA256 | 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355 |
| SHA512 | 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa |
C:\Users\Admin\AppData\Local\Temp\Jersey
| MD5 | 25f618dcd9a958e79913ec30f89f30c9 |
| SHA1 | 52ce81a9f0d13373257382c67633b3726cd0e919 |
| SHA256 | 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12 |
| SHA512 | c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f |
C:\Users\Admin\AppData\Local\Temp\Affecting
| MD5 | 3f0c844167b93ec7fd2697de91790c4b |
| SHA1 | 81e9e8c129ef264c7981c49be22fc4f41e504c76 |
| SHA256 | 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556 |
| SHA512 | 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4 |
C:\Users\Admin\AppData\Local\Temp\Explanation
| MD5 | 1570a1bee5b357710cc74f60ce825c22 |
| SHA1 | c515aeca6d025d65dc191a31755e87f54092acc5 |
| SHA256 | bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae |
| SHA512 | cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726 |
C:\Users\Admin\AppData\Local\Temp\Reductions
| MD5 | d203f6393a3903aa4d01f3f7f8fbdca1 |
| SHA1 | de0f58ca1f059366d86bfeb1ce91c44b60898bc9 |
| SHA256 | 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd |
| SHA512 | 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87 |
C:\Users\Admin\AppData\Local\Temp\Monte
| MD5 | 5052be6a36baef4bc80fc0a25377991f |
| SHA1 | f4d4d1226128ff8b76a2ff07cddb00132025da58 |
| SHA256 | deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952 |
| SHA512 | d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5 |
C:\Users\Admin\AppData\Local\Temp\Nissan
| MD5 | 4c1bf2e085c8294fdca893a02a568d67 |
| SHA1 | f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375 |
| SHA256 | cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891 |
| SHA512 | 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4 |
C:\Users\Admin\AppData\Local\Temp\Complicated
| MD5 | 6762d4e94c1b03d2c784c5fcc6078641 |
| SHA1 | 3b1b5041616acacd1a3f2af9206dfb8836cbed8c |
| SHA256 | 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e |
| SHA512 | 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2 |
C:\Users\Admin\AppData\Local\Temp\Download
| MD5 | e62c9797d10a365321d928e89954a5be |
| SHA1 | 612831de5d1cf5ebd90101617d78411cd5571e98 |
| SHA256 | 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03 |
| SHA512 | 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0 |
C:\Users\Admin\AppData\Local\Temp\Challenge
| MD5 | 537268e78ee12bfbcc243c56a7d496fc |
| SHA1 | 0dfc9eccbddc26e4ae99349cbbabeff3319328ec |
| SHA256 | 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee |
| SHA512 | 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3 |
C:\Users\Admin\AppData\Local\Temp\Diet
| MD5 | 7430584ab5031bd1784772da8a706f6e |
| SHA1 | c299c3785cc742b5d224a500048230320b83eea3 |
| SHA256 | ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2 |
| SHA512 | 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4 |
C:\Users\Admin\AppData\Local\Temp\Cinema
| MD5 | 65570d0c36a8df76f5f0f290652d8832 |
| SHA1 | bc5e984dbb5045c6b3ff0e507fe2145644824430 |
| SHA256 | 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670 |
| SHA512 | caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a |
C:\Users\Admin\AppData\Local\Temp\Rescue
| MD5 | 6b5b55e3f833053ac81fe00f0e0808f7 |
| SHA1 | 8334f3338966eed623ab0bce20d3a52c417ee4a9 |
| SHA256 | 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6 |
| SHA512 | c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98 |
C:\Users\Admin\AppData\Local\Temp\Military
| MD5 | 7ae74abe58a6e55d07374af9c912645f |
| SHA1 | ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3 |
| SHA256 | b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8 |
| SHA512 | 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3 |
C:\Users\Admin\AppData\Local\Temp\Lucy
| MD5 | 1e19f8b5a5df8835b2c08291a28e2096 |
| SHA1 | a2573e83e5d52d4c30fad472131f75c73c666651 |
| SHA256 | 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba |
| SHA512 | 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94 |
C:\Users\Admin\AppData\Local\Temp\Chicken
| MD5 | 20105d875df6d6c0a9a393613822417f |
| SHA1 | 36eea2d5499ab0a814f6352f5adfe0e5941fd221 |
| SHA256 | ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43 |
| SHA512 | 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff |
C:\Users\Admin\AppData\Local\Temp\Html
| MD5 | 60ac1993c088722394ffe200673bb477 |
| SHA1 | 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c |
| SHA256 | ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95 |
| SHA512 | 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98 |
C:\Users\Admin\AppData\Local\Temp\Modifications
| MD5 | ef01a057cc8722790ca29a4ebaa97d06 |
| SHA1 | a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc |
| SHA256 | 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c |
| SHA512 | 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e |
C:\Users\Admin\AppData\Local\Temp\Savage
| MD5 | fb541151b9390f68c6c2401afc2d99c7 |
| SHA1 | a31a9d485725a9f86a1867f4f81a58d891a89738 |
| SHA256 | ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f |
| SHA512 | 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0 |
C:\Users\Admin\AppData\Local\Temp\Rise
| MD5 | 396d0835e6878f2a72c2104950e072b4 |
| SHA1 | 27750a5a4cc755abbda70173bad00e7b9d5d7fee |
| SHA256 | b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a |
| SHA512 | 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7 |
C:\Users\Admin\AppData\Local\Temp\Lady
| MD5 | 543168f1d78f27bc1e0a01a41fa841e8 |
| SHA1 | 3adfd6f137aae243f115727ff34aef34ec4937d2 |
| SHA256 | 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21 |
| SHA512 | 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1 |
C:\Users\Admin\AppData\Local\Temp\Live
| MD5 | 376e677f9a5afdf14a709ae45b3ac489 |
| SHA1 | 12fcde474c530ae35dbd410374b811c3eeb69dbe |
| SHA256 | 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a |
| SHA512 | bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8 |
C:\Users\Admin\AppData\Local\Temp\Chester
| MD5 | 725acfd693506370739de020e9a887f5 |
| SHA1 | 45649e96847f624b50ed75515922c1db47fc05da |
| SHA256 | b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84 |
| SHA512 | 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a |
C:\Users\Admin\AppData\Local\Temp\Massive
| MD5 | a980747d497a8ee2ae7004c77f90733b |
| SHA1 | 68a73778039a85f26ae490bb1a53cf6f7f606d09 |
| SHA256 | 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609 |
| SHA512 | f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b |
C:\Users\Admin\AppData\Local\Temp\Behavioral
| MD5 | ebe4b07bfed724aa5becd78901a6fe27 |
| SHA1 | 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7 |
| SHA256 | 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e |
| SHA512 | 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c |
C:\Users\Admin\AppData\Local\Temp\Duplicate
| MD5 | 3bcc0c3847c9a8e1699947169eecb998 |
| SHA1 | 9eebb699415d3166209f3b3fb86664911aab576d |
| SHA256 | 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f |
| SHA512 | 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db |
C:\Users\Admin\AppData\Local\Temp\Features
| MD5 | d745691d6cb303d913e41ce5e4b58c7c |
| SHA1 | 4d650125002e80e9134f13a50d517371ebb75690 |
| SHA256 | 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8 |
| SHA512 | 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb |
C:\Users\Admin\AppData\Local\Temp\Si
| MD5 | 718c0e812f72e5bcbec91397f65a077d |
| SHA1 | 76068ad0af77a48d664e4b36133f17649b818648 |
| SHA256 | 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860 |
| SHA512 | c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc |
C:\Users\Admin\AppData\Local\Temp\Blogger
| MD5 | 378485e10e236ff814d839659433f06d |
| SHA1 | 5ae0565d277f6e85f58c8607d0b34db0a416025b |
| SHA256 | aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245 |
| SHA512 | e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad |
C:\Users\Admin\AppData\Local\Temp\Holy
| MD5 | 2d96b5acce1dec9f12612c247afd1863 |
| SHA1 | 86a7951ea9243849382c4201407f2def3bc3c04e |
| SHA256 | 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035 |
| SHA512 | 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563 |
C:\Users\Admin\AppData\Local\Temp\Signing
| MD5 | 13d7a9bf7a6a8ad1d7786ae78a0499ae |
| SHA1 | d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288 |
| SHA256 | 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8 |
| SHA512 | 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411 |
C:\Users\Admin\AppData\Local\Temp\Highlighted
| MD5 | 64b4546e5c30703ec09d37d7b580a5f8 |
| SHA1 | 32bd68a136801200bc147cfc4e554d63ceb35e80 |
| SHA256 | bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328 |
| SHA512 | a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67 |
C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\57839\j
| MD5 | 6f2a4dfc60f72b9025b045544856516d |
| SHA1 | 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3 |
| SHA256 | dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea |
| SHA512 | afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9 |
memory/2468-84-0x0000000001680000-0x0000000001860000-memory.dmp
memory/2468-85-0x0000000001680000-0x0000000001860000-memory.dmp
memory/2468-87-0x0000000001680000-0x0000000001860000-memory.dmp