Malware Analysis Report

2024-10-19 09:00

Sample ID 240902-tgn7katemq
Target power systems ii.pdf.zip
SHA256 daa053b4eda32444723099d6f54ecb22ff53581753ecd4ccb455f68c74dc8aa4
Tags
djvu lumma redline stealc vidar default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

daa053b4eda32444723099d6f54ecb22ff53581753ecd4ccb455f68c74dc8aa4

Threat Level: Known bad

The file power systems ii.pdf.zip was found to be: Known bad.

Malicious Activity Summary

djvu lumma redline stealc vidar default leva logsdiller cloud (tg: @logsdillabot) w9 credential_access discovery evasion execution infostealer persistence ransomware spyware stealer

Detected Djvu ransomware

Djvu Ransomware

Lumma Stealer, LummaC

Stealc

Detect Vidar Stealer

RedLine payload

RedLine

Vidar

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Drops startup file

Modifies file permissions

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

.NET Reactor proctector

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Power Settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Browser Information Discovery

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 16:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 16:01

Reported

2024-09-02 16:09

Platform

win10-20240404-en

Max time kernel

124s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\AdminCAFHIJDHDG.exe N/A
N/A N/A C:\Users\AdminCFIEBKEHCA.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\FBGHIIJDGH.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\519b4c81-998e-45cb-989b-eca0383684f5\\cEb3YN9ry8jg1SsiMsJXrhaM.exe\" --AutoStart" C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2288 set thread context of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2100 set thread context of 3760 N/A C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4504 set thread context of 4460 N/A C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 set thread context of 1568 N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe
PID 5108 set thread context of 4284 N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
PID 4388 set thread context of 1100 N/A C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1496 set thread context of 1336 N/A C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2260 set thread context of 4488 N/A C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3668 set thread context of 200 N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
PID 2504 set thread context of 3980 N/A C:\Users\AdminCAFHIJDHDG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 set thread context of 3388 N/A C:\Users\AdminCFIEBKEHCA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4420 set thread context of 1100 N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe C:\Windows\system32\conhost.exe
PID 4420 set thread context of 5108 N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe C:\Windows\system32\svchost.exe
PID 1396 set thread context of 1496 N/A C:\ProgramData\FBGHIIJDGH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\StayOperating C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\BrokerBaby C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SurelyCabin C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\NotreNr C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SpectrumNext C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminCAFHIJDHDG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminCFIEBKEHCA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\FBGHIIJDGH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 308 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 3536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 308 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 308 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 308 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 308 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 308 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 308 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2288 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2288 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2288 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2288 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2288 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 4884 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
PID 4884 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
PID 4884 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe
PID 4884 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
PID 4884 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
PID 4884 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe
PID 4884 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
PID 4884 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
PID 4884 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe
PID 4884 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
PID 4884 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
PID 4884 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe
PID 4884 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
PID 4884 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
PID 4884 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe
PID 4884 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe
PID 4884 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe
PID 4884 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
PID 4884 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
PID 4884 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe
PID 4884 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
PID 4884 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
PID 4884 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe
PID 4884 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
PID 4884 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
PID 4884 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe
PID 4884 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe
PID 4884 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe
PID 4884 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 57839

C:\Windows\SysWOW64\findstr.exe

findstr /V "ComicHoRecruitingHabits" Voluntary

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Crash.pif j

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe

C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe

C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe

C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe

C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe

C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe

C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe

C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe

C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe

C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe

C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe

C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe

C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe

C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe

C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe

C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe

C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe

C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe

C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe

C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe

C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe

C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe

C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe

C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp" /SL5="$701FC,3863733,54272,C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 612

C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe

"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"

C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe

"C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe"

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\519b4c81-998e-45cb-989b-eca0383684f5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

"C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAFHIJDHDG.exe"

C:\Users\AdminCAFHIJDHDG.exe

"C:\Users\AdminCAFHIJDHDG.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCFIEBKEHCA.exe"

C:\Users\AdminCFIEBKEHCA.exe

"C:\Users\AdminCFIEBKEHCA.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 1284

C:\ProgramData\FBGHIIJDGH.exe

"C:\ProgramData\FBGHIIJDGH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\GDBAKKKFBG.exe

"C:\ProgramData\GDBAKKKFBG.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1268

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFCBAEHCAEGD" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 zRSEpqfcCxtm.zRSEpqfcCxtm udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
RU 80.66.75.114:80 80.66.75.114 tcp
RU 176.111.174.109:80 176.111.174.109 tcp
RU 31.41.244.9:80 31.41.244.9 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 prodesarrolloapurimac.pe udp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
CA 51.222.104.23:80 prodesarrolloapurimac.pe tcp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
US 76.76.21.98:80 file-link-iota.vercel.app tcp
US 76.76.21.98:443 file-link-iota.vercel.app tcp
US 8.8.8.8:53 youtransfer.net udp
US 8.8.8.8:53 104.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 9.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 114.75.66.80.in-addr.arpa udp
US 8.8.8.8:53 33.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 109.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 98.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 227.188.43.179.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
CA 158.69.225.124:443 youtransfer.net tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 124.225.69.158.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CA 51.222.104.23:443 prodesarrolloapurimac.pe tcp
US 20.231.121.79:80 tcp
DE 92.246.139.82:80 tcp
DE 77.105.164.24:50505 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 188.114.97.9:443 api.2ip.ua tcp
US 8.8.8.8:53 24.164.105.77.in-addr.arpa udp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 58.113.50.184.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 9.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 8.220.75.5.in-addr.arpa udp
DE 147.45.47.36:30035 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 36.47.45.147.in-addr.arpa udp
NL 193.176.190.41:80 193.176.190.41 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 188.114.97.9:443 api.2ip.ua tcp
US 8.8.8.8:53 cajgtus.com udp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 41.190.176.193.in-addr.arpa udp
FI 95.216.107.53:12311 tcp
AR 186.123.165.48:80 cajgtus.com tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
US 8.8.8.8:53 48.165.123.186.in-addr.arpa udp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 109.231.8.46.in-addr.arpa udp
DE 5.75.220.8:443 5.75.220.8 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 172.67.207.182:443 locatedblsoqp.shop tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 182.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
CH 147.45.44.104:80 147.45.44.104 tcp
DE 95.179.241.203:443 pool.hashvault.pro tcp
DE 92.246.139.82:80 92.246.139.82 tcp
DE 5.75.220.8:443 5.75.220.8 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 172.67.207.182:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
DE 5.75.220.8:443 tcp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 172.67.207.182:443 locatedblsoqp.shop tcp
DE 5.75.220.8:443 tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 gacan.zapto.org udp
RU 45.132.206.251:80 gacan.zapto.org tcp
US 8.8.8.8:53 251.206.132.45.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
US 8.8.8.8:53 32.113.50.184.in-addr.arpa udp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
DE 5.75.220.8:443 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Expectations

MD5 3281bcef02057c7c42ffc446180035d9
SHA1 b6f03015126215d02e2e0a299af9822df7080a0b
SHA256 a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713
SHA512 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c

C:\Users\Admin\AppData\Local\Temp\Voluntary

MD5 f9eb00df5045603dcd9bd10c9c2de5a6
SHA1 ec9430633bd4833a58c4d5cabdb4bd39115c3fee
SHA256 f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca
SHA512 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402

C:\Users\Admin\AppData\Local\Temp\Convicted

MD5 756ebe860d35cf35959526d533e1547b
SHA1 d739e66da9e6cea11d1df535210ad0dbf1bab2ea
SHA256 f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659
SHA512 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650

C:\Users\Admin\AppData\Local\Temp\Festival

MD5 b7ad3cbdf401b3c7267cfc9711574142
SHA1 e7a0ceb17efd4038a20865e496bd4a5ba19fd77c
SHA256 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78
SHA512 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe

C:\Users\Admin\AppData\Local\Temp\Row

MD5 bf39dfa471c242ee0ce4c1010af5854f
SHA1 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9
SHA256 fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e
SHA512 bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3

C:\Users\Admin\AppData\Local\Temp\Seven

MD5 2edee24053811c6808c917363e0a36b1
SHA1 67335e45423653ceb25fda916f03906c7809ead2
SHA256 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030
SHA512 b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38

C:\Users\Admin\AppData\Local\Temp\Author

MD5 ff664f8979f694400b1973a4c9090640
SHA1 1f14c9bfec66926d43f9fcae51a531af3a1d95c3
SHA256 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355
SHA512 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa

C:\Users\Admin\AppData\Local\Temp\Affecting

MD5 3f0c844167b93ec7fd2697de91790c4b
SHA1 81e9e8c129ef264c7981c49be22fc4f41e504c76
SHA256 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556
SHA512 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4

C:\Users\Admin\AppData\Local\Temp\Jersey

MD5 25f618dcd9a958e79913ec30f89f30c9
SHA1 52ce81a9f0d13373257382c67633b3726cd0e919
SHA256 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12
SHA512 c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 1570a1bee5b357710cc74f60ce825c22
SHA1 c515aeca6d025d65dc191a31755e87f54092acc5
SHA256 bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae
SHA512 cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726

C:\Users\Admin\AppData\Local\Temp\Reductions

MD5 d203f6393a3903aa4d01f3f7f8fbdca1
SHA1 de0f58ca1f059366d86bfeb1ce91c44b60898bc9
SHA256 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd
SHA512 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87

C:\Users\Admin\AppData\Local\Temp\Monte

MD5 5052be6a36baef4bc80fc0a25377991f
SHA1 f4d4d1226128ff8b76a2ff07cddb00132025da58
SHA256 deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952
SHA512 d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5

C:\Users\Admin\AppData\Local\Temp\Nissan

MD5 4c1bf2e085c8294fdca893a02a568d67
SHA1 f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375
SHA256 cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891
SHA512 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4

C:\Users\Admin\AppData\Local\Temp\Download

MD5 e62c9797d10a365321d928e89954a5be
SHA1 612831de5d1cf5ebd90101617d78411cd5571e98
SHA256 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03
SHA512 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0

C:\Users\Admin\AppData\Local\Temp\Complicated

MD5 6762d4e94c1b03d2c784c5fcc6078641
SHA1 3b1b5041616acacd1a3f2af9206dfb8836cbed8c
SHA256 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e
SHA512 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2

C:\Users\Admin\AppData\Local\Temp\Challenge

MD5 537268e78ee12bfbcc243c56a7d496fc
SHA1 0dfc9eccbddc26e4ae99349cbbabeff3319328ec
SHA256 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee
SHA512 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3

C:\Users\Admin\AppData\Local\Temp\Diet

MD5 7430584ab5031bd1784772da8a706f6e
SHA1 c299c3785cc742b5d224a500048230320b83eea3
SHA256 ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2
SHA512 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4

C:\Users\Admin\AppData\Local\Temp\Cinema

MD5 65570d0c36a8df76f5f0f290652d8832
SHA1 bc5e984dbb5045c6b3ff0e507fe2145644824430
SHA256 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670
SHA512 caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a

C:\Users\Admin\AppData\Local\Temp\Rescue

MD5 6b5b55e3f833053ac81fe00f0e0808f7
SHA1 8334f3338966eed623ab0bce20d3a52c417ee4a9
SHA256 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6
SHA512 c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98

C:\Users\Admin\AppData\Local\Temp\Military

MD5 7ae74abe58a6e55d07374af9c912645f
SHA1 ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3
SHA256 b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8
SHA512 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3

C:\Users\Admin\AppData\Local\Temp\Modifications

MD5 ef01a057cc8722790ca29a4ebaa97d06
SHA1 a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc
SHA256 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c
SHA512 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e

C:\Users\Admin\AppData\Local\Temp\Html

MD5 60ac1993c088722394ffe200673bb477
SHA1 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c
SHA256 ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95
SHA512 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98

C:\Users\Admin\AppData\Local\Temp\Lucy

MD5 1e19f8b5a5df8835b2c08291a28e2096
SHA1 a2573e83e5d52d4c30fad472131f75c73c666651
SHA256 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba
SHA512 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94

C:\Users\Admin\AppData\Local\Temp\Chicken

MD5 20105d875df6d6c0a9a393613822417f
SHA1 36eea2d5499ab0a814f6352f5adfe0e5941fd221
SHA256 ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43
SHA512 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 fb541151b9390f68c6c2401afc2d99c7
SHA1 a31a9d485725a9f86a1867f4f81a58d891a89738
SHA256 ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f
SHA512 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0

C:\Users\Admin\AppData\Local\Temp\Lady

MD5 543168f1d78f27bc1e0a01a41fa841e8
SHA1 3adfd6f137aae243f115727ff34aef34ec4937d2
SHA256 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21
SHA512 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1

C:\Users\Admin\AppData\Local\Temp\Live

MD5 376e677f9a5afdf14a709ae45b3ac489
SHA1 12fcde474c530ae35dbd410374b811c3eeb69dbe
SHA256 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a
SHA512 bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8

C:\Users\Admin\AppData\Local\Temp\Chester

MD5 725acfd693506370739de020e9a887f5
SHA1 45649e96847f624b50ed75515922c1db47fc05da
SHA256 b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84
SHA512 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a

C:\Users\Admin\AppData\Local\Temp\Rise

MD5 396d0835e6878f2a72c2104950e072b4
SHA1 27750a5a4cc755abbda70173bad00e7b9d5d7fee
SHA256 b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a
SHA512 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7

C:\Users\Admin\AppData\Local\Temp\Massive

MD5 a980747d497a8ee2ae7004c77f90733b
SHA1 68a73778039a85f26ae490bb1a53cf6f7f606d09
SHA256 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609
SHA512 f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b

C:\Users\Admin\AppData\Local\Temp\Behavioral

MD5 ebe4b07bfed724aa5becd78901a6fe27
SHA1 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7
SHA256 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e
SHA512 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c

C:\Users\Admin\AppData\Local\Temp\Duplicate

MD5 3bcc0c3847c9a8e1699947169eecb998
SHA1 9eebb699415d3166209f3b3fb86664911aab576d
SHA256 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f
SHA512 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db

C:\Users\Admin\AppData\Local\Temp\Si

MD5 718c0e812f72e5bcbec91397f65a077d
SHA1 76068ad0af77a48d664e4b36133f17649b818648
SHA256 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860
SHA512 c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc

C:\Users\Admin\AppData\Local\Temp\Features

MD5 d745691d6cb303d913e41ce5e4b58c7c
SHA1 4d650125002e80e9134f13a50d517371ebb75690
SHA256 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8
SHA512 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb

C:\Users\Admin\AppData\Local\Temp\Blogger

MD5 378485e10e236ff814d839659433f06d
SHA1 5ae0565d277f6e85f58c8607d0b34db0a416025b
SHA256 aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245
SHA512 e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad

C:\Users\Admin\AppData\Local\Temp\Holy

MD5 2d96b5acce1dec9f12612c247afd1863
SHA1 86a7951ea9243849382c4201407f2def3bc3c04e
SHA256 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035
SHA512 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563

C:\Users\Admin\AppData\Local\Temp\Signing

MD5 13d7a9bf7a6a8ad1d7786ae78a0499ae
SHA1 d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288
SHA256 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8
SHA512 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411

C:\Users\Admin\AppData\Local\Temp\Highlighted

MD5 64b4546e5c30703ec09d37d7b580a5f8
SHA1 32bd68a136801200bc147cfc4e554d63ceb35e80
SHA256 bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328
SHA512 a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\57839\j

MD5 6f2a4dfc60f72b9025b045544856516d
SHA1 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3
SHA256 dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea
SHA512 afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9

memory/4884-84-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-85-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-87-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-91-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-92-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-101-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-100-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-99-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-98-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-96-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-95-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-94-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-93-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-90-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-89-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-102-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-97-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-88-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-106-0x0000000000C00000-0x0000000000DE0000-memory.dmp

C:\Users\Admin\Documents\iofolko5\2BQuSJD0Ffe8sYCdJqTbFs6x.exe

MD5 887e72b4cb2377696debda89a72d02cf
SHA1 1ff82934834b67f53bd8b1daa73509fe2fe81d82
SHA256 45d0fe6264411334fe1045efebd8f394ebb84495ef194320d46168e10a849b2b
SHA512 12718b2ad234e7a80b95be46cb47cf5dacc914b5082e715125b479a3e856d0665005c0629cda5efc9fb3e71561d5fa059f50762d9de017537ab0880a48e6ef15

C:\Users\Admin\Documents\iofolko5\D2dsp24xIugTOXbqFb03UBo8.exe

MD5 404b53e64579f603d9ef29eba5bdc173
SHA1 96bac004043f3e9ec246eec235d849de4cec8061
SHA256 c9d8ae512980ed05e16b701c029c18276542cb837dae9f819b940fb4a23a6237
SHA512 b9e13178d744ea919e08360a0e5c3f024c85261cd8a4673b4f5df4b59c670fa63a08d949f33d4d95f51f6c379b78a83880c6eef4020887bf361ba4e833cf7e17

C:\Users\Admin\Documents\iofolko5\8lvF_pbPdErJhU6eYaLALhqF.exe

MD5 9d1e5520a634731ed9747be9e9af7c5d
SHA1 6bc547c7e26073f71be0017e29c8702ddea2fc11
SHA256 90c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36
SHA512 3cc597e4b451252361707740fe58ea18ff8734a9adad48458760518d1828beb55bd0ddb080daf7c1a29cda462b7cabab3c3829fc5c811b1d3069a5d507b7cbaa

C:\Users\Admin\Documents\iofolko5\cEb3YN9ry8jg1SsiMsJXrhaM.exe

MD5 7972b08246e568495d9d116fc2d0b159
SHA1 3e12225494f08369858453fd9fc7481b4f788165
SHA256 2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
SHA512 f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7

C:\Users\Admin\Documents\iofolko5\ck1kQgnZGpqVGKLY2egHSvid.exe

MD5 e81c71d0c270fa8d67b4ec8b1e968479
SHA1 bf33b5e1b7b694909de07a3447f84362fa766600
SHA256 d92729a5a6186ae6dc688de6b0c3774c43f7788f50c09a3373306fa553750691
SHA512 72298ce9e81a84c878a1eba30d1acad2d0d04567b0081ec7593fce17082a4aae8c0ac28bd4cf7943e55fecb61737fb8a3df5b0edebe79e6582846ec5d5a51af4

C:\Users\Admin\Documents\iofolko5\i_EDTZdhnpvoNJRWQkGGccLX.exe

MD5 446e93ad377c766b423ca427cd0290b3
SHA1 ab01cadbf1fa2737d833b41211032269c7c02097
SHA256 bb89dd19fdfdcb9bffb1119abbcbd78fc5401e070040937990dcaf1bbae96716
SHA512 4c36afaf4acf4bd3d1aee367968a58d8253a43664ed3f8e8bdc1aa9ea9f3bbfdc0b6ca68d1d6a0003d542a2c8a3e68acca1e753bfedbef27e20e0ad6831e9275

C:\Users\Admin\Documents\iofolko5\s5GRedbnGg1qeJV95EC4ypkH.exe

MD5 22e3086fa71d9cc3418a00372ef05ff8
SHA1 97dbc4e6cd4d5c40379ab5fc67a9c690f0bf48dd
SHA256 52caacc4df11ab50c9cc0cac8715d046312167c6e6a2b2f5a756f1979ae2db86
SHA512 f41724beb373db7ff2e2f20e883a316e57a4e70c0809629583fc253f88fa211a5eadc3788a5747fb8353bb3237d3234dce2593dde27b40f12520d23b58dad738

C:\Users\Admin\Documents\iofolko5\3GU73Emite8W2LE7jUkk5idR.exe

MD5 d4ac1a0d0504ab9a127defa511df833e
SHA1 9254864b6917eba6d4d4616ac2564f192626668b
SHA256 a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA512 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5

C:\Users\Admin\Documents\iofolko5\F0sjTXtEkyFhyelgE0Mr8uU7.exe

MD5 67a51322cbb161374023771f2fa9c1d5
SHA1 0162a4171c983605374a295a57a7ba6a58622ff5
SHA256 ef7e913e51b970193a61248fccf25fa32f9efbdc82953ca0850d9607e87cdd68
SHA512 71e4962d123a21d763a6d88899c35df1f7a0712bd33995fd61e548deb4d1d2c135000330d5f2dd843c69cd8f92c42295c9e0f2c2a288a4f3c81496e83a837ce1

C:\Users\Admin\Documents\iofolko5\DTGUSTj7L8sXcmLLMCcOVDCz.exe

MD5 d8ecb462d3046a0ee172551c5d505c8e
SHA1 54f9e16b497579964e9afc90c3c0c208f16b4418
SHA256 afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f
SHA512 9eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e

C:\Users\Admin\Documents\iofolko5\g8E1Ykgx61NUZGcqiQ88LHyW.exe

MD5 865adfa302bfc57219c6541aebbfa1c9
SHA1 aeeb2cdc6cdd99705094904fdf65f52910e8fb89
SHA256 de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c
SHA512 fb6a9dd9d66013e2274adca885b3d0f038aa14cf4a64bac2140203ff72d2091e71c6929d3748af6e999c9b1c95098036489568ac8c40032bc819d917a4e87b38

C:\Users\Admin\Documents\iofolko5\lTmXqotNlhgzkTosMw2nglcr.exe

MD5 ab68db6a238464a75b669938a3512ae1
SHA1 48a7e2ed179d29d783d55fe610598474825bdf95
SHA256 86bb9a397e62d756578dbe6c40cc07050f2066db6fb5d54499e03469a7cdccd5
SHA512 b811a8f5d3d2fab469a97a9a0d59d6b132b4fecbc7048dd203d25c938e7047b487e9a85799f8d9b04c0e01f307f3ff1bd0c3af967a8813c3ab0d72c69650364c

C:\Users\Admin\Documents\iofolko5\VoVk7YX4kvrBtpYgoNjPz_1z.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

memory/4884-220-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-222-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-229-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-231-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-255-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/692-273-0x0000000000A90000-0x0000000001104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J06V0.tmp\s5GRedbnGg1qeJV95EC4ypkH.tmp

MD5 ca83418803bb9d01b1c9f4b296a24f66
SHA1 c1d2bb6630a65a20758491b2c02a2fd743f30e58
SHA256 c6521855ab827e14b1cbe8fcd21617701667c99a721fa32a9d0e3e145575562e
SHA512 916ed009e9f838ceae0a298799013a18218d11643e351a3e7eb0aeba390b712e051612cd75f9d5f51158d8d682b63087c11085b82f987970a16bfdea70de12e1

memory/4672-276-0x0000000000060000-0x0000000000352000-memory.dmp

memory/4672-278-0x0000000004C10000-0x0000000004CAC000-memory.dmp

memory/2100-291-0x00000000051B0000-0x00000000052E6000-memory.dmp

memory/4460-300-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4672-302-0x0000000005660000-0x0000000005B5E000-memory.dmp

memory/4672-303-0x0000000004B50000-0x0000000004B72000-memory.dmp

memory/4460-299-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4672-298-0x0000000004FC0000-0x000000000515E000-memory.dmp

memory/3760-296-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3760-294-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4672-293-0x0000000004DE0000-0x0000000004F80000-memory.dmp

memory/2100-292-0x0000000005010000-0x0000000005032000-memory.dmp

memory/4504-277-0x0000000000150000-0x0000000000188000-memory.dmp

memory/2100-275-0x0000000000480000-0x00000000007D6000-memory.dmp

memory/4884-253-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-251-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-249-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-244-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-257-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4872-235-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4884-247-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-227-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-242-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/4884-225-0x0000000000C00000-0x0000000000DE0000-memory.dmp

memory/792-307-0x00007FFB52380000-0x00007FFB52382000-memory.dmp

memory/1568-306-0x0000000000400000-0x0000000000490000-memory.dmp

memory/792-311-0x0000000140000000-0x0000000141999000-memory.dmp

memory/1568-305-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1496-320-0x0000000000520000-0x00000000005A8000-memory.dmp

memory/4388-319-0x0000000000CF0000-0x0000000000D44000-memory.dmp

memory/1100-325-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1100-330-0x0000000005110000-0x00000000051A2000-memory.dmp

memory/4488-331-0x0000000000400000-0x0000000000657000-memory.dmp

memory/4488-335-0x0000000000400000-0x0000000000657000-memory.dmp

memory/1100-338-0x00000000050E0000-0x00000000050EA000-memory.dmp

memory/4488-334-0x0000000000400000-0x0000000000657000-memory.dmp

memory/1336-327-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4284-322-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2260-321-0x0000000000080000-0x00000000000CA000-memory.dmp

memory/4284-315-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1568-304-0x0000000000400000-0x0000000000490000-memory.dmp

memory/692-355-0x0000000000A90000-0x0000000001104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpF67.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/1100-356-0x0000000005D30000-0x0000000005DA6000-memory.dmp

memory/1100-358-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/1100-369-0x00000000069C0000-0x0000000006FC6000-memory.dmp

memory/1100-378-0x0000000006530000-0x000000000663A000-memory.dmp

memory/1100-380-0x0000000006460000-0x0000000006472000-memory.dmp

memory/1100-381-0x00000000064C0000-0x00000000064FE000-memory.dmp

memory/1100-383-0x0000000006640000-0x000000000668B000-memory.dmp

memory/4284-384-0x0000000000400000-0x0000000000537000-memory.dmp

memory/200-390-0x0000000000400000-0x0000000000537000-memory.dmp

memory/200-394-0x0000000000400000-0x0000000000537000-memory.dmp

memory/200-393-0x0000000000400000-0x0000000000537000-memory.dmp

memory/200-395-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3760-396-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1336-408-0x0000000009260000-0x00000000092C6000-memory.dmp

memory/1336-410-0x000000000A090000-0x000000000A252000-memory.dmp

memory/1336-411-0x000000000A790000-0x000000000ACBC000-memory.dmp

memory/1100-439-0x0000000006960000-0x00000000069B0000-memory.dmp

C:\ProgramData\JJECGHJD

MD5 3daad470df391b2f80f1355a73f49b47
SHA1 fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec
SHA256 a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08
SHA512 a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

C:\ProgramData\BAKFCBFHJDHJKECAKEHI

MD5 c23c5b4d8fa0bfbb265b6ab72042d4b5
SHA1 96e8e7ccda26c5119fb13dc8ee64e1ece272bd85
SHA256 5961ef4ca18f28c8c26b80cbcb3f4f8c20647e41111402012a25c8910c48db02
SHA512 39f7dc6f603472160f3fe0be3e1a6f2d32351690e040246753f4e57de9a8b2521dd8f31c200a9b4d9501139471417500d275be140b058136f94ee0dc501a660a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminCAFHIJDHDG.exe.log

MD5 605f809fab8c19729d39d075f7ffdb53
SHA1 c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA256 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA512 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

memory/4900-539-0x0000000000F70000-0x0000000000FC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQ5JVXBW\66d5ddc254656_lfem[1].exe

MD5 24b1ff1f8ba8c5e20613a652b7ddcafb
SHA1 48cb72e8fb1bb1d586ccde26de74154130d2b219
SHA256 c45735085c630196f711708160c78f204d8fa3fd36dc7c49cfc039442ae4c9d7
SHA512 d277a6a0830dabc5b7d535f3d84c948a70ae3fd9a16948b55ccd69340726390f6346c91098c0a48d8f40cb76a83299fcfccf92b59675f36692b8537bbd720c8c

C:\ProgramData\KJEBKJDAFHJD\JKKKJJ

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\KJEBKJDAFHJD\KECFCG

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\ProgramData\IIJEBFCFIJJJ\BAAAKJ

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-02 16:01

Reported

2024-09-02 16:09

Platform

win7-20240729-en

Max time kernel

239s

Max time network

243s

Command Line

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SurelyCabin C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\NotreNr C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SpectrumNext C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\StayOperating C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\BrokerBaby C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2536 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2536 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2536 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2536 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2536 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2536 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2536 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2536 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2084 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Processes

C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 57839

C:\Windows\SysWOW64\findstr.exe

findstr /V "ComicHoRecruitingHabits" Voluntary

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Crash.pif j

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 zRSEpqfcCxtm.zRSEpqfcCxtm udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\Expectations

MD5 3281bcef02057c7c42ffc446180035d9
SHA1 b6f03015126215d02e2e0a299af9822df7080a0b
SHA256 a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713
SHA512 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c

C:\Users\Admin\AppData\Local\Temp\Voluntary

MD5 f9eb00df5045603dcd9bd10c9c2de5a6
SHA1 ec9430633bd4833a58c4d5cabdb4bd39115c3fee
SHA256 f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca
SHA512 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402

C:\Users\Admin\AppData\Local\Temp\Convicted

MD5 756ebe860d35cf35959526d533e1547b
SHA1 d739e66da9e6cea11d1df535210ad0dbf1bab2ea
SHA256 f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659
SHA512 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650

C:\Users\Admin\AppData\Local\Temp\Festival

MD5 b7ad3cbdf401b3c7267cfc9711574142
SHA1 e7a0ceb17efd4038a20865e496bd4a5ba19fd77c
SHA256 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78
SHA512 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe

C:\Users\Admin\AppData\Local\Temp\Row

MD5 bf39dfa471c242ee0ce4c1010af5854f
SHA1 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9
SHA256 fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e
SHA512 bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3

C:\Users\Admin\AppData\Local\Temp\Seven

MD5 2edee24053811c6808c917363e0a36b1
SHA1 67335e45423653ceb25fda916f03906c7809ead2
SHA256 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030
SHA512 b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38

C:\Users\Admin\AppData\Local\Temp\Author

MD5 ff664f8979f694400b1973a4c9090640
SHA1 1f14c9bfec66926d43f9fcae51a531af3a1d95c3
SHA256 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355
SHA512 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa

C:\Users\Admin\AppData\Local\Temp\Jersey

MD5 25f618dcd9a958e79913ec30f89f30c9
SHA1 52ce81a9f0d13373257382c67633b3726cd0e919
SHA256 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12
SHA512 c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f

C:\Users\Admin\AppData\Local\Temp\Affecting

MD5 3f0c844167b93ec7fd2697de91790c4b
SHA1 81e9e8c129ef264c7981c49be22fc4f41e504c76
SHA256 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556
SHA512 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 1570a1bee5b357710cc74f60ce825c22
SHA1 c515aeca6d025d65dc191a31755e87f54092acc5
SHA256 bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae
SHA512 cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726

C:\Users\Admin\AppData\Local\Temp\Reductions

MD5 d203f6393a3903aa4d01f3f7f8fbdca1
SHA1 de0f58ca1f059366d86bfeb1ce91c44b60898bc9
SHA256 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd
SHA512 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87

C:\Users\Admin\AppData\Local\Temp\Monte

MD5 5052be6a36baef4bc80fc0a25377991f
SHA1 f4d4d1226128ff8b76a2ff07cddb00132025da58
SHA256 deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952
SHA512 d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5

C:\Users\Admin\AppData\Local\Temp\Nissan

MD5 4c1bf2e085c8294fdca893a02a568d67
SHA1 f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375
SHA256 cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891
SHA512 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4

C:\Users\Admin\AppData\Local\Temp\Download

MD5 e62c9797d10a365321d928e89954a5be
SHA1 612831de5d1cf5ebd90101617d78411cd5571e98
SHA256 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03
SHA512 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0

C:\Users\Admin\AppData\Local\Temp\Complicated

MD5 6762d4e94c1b03d2c784c5fcc6078641
SHA1 3b1b5041616acacd1a3f2af9206dfb8836cbed8c
SHA256 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e
SHA512 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2

C:\Users\Admin\AppData\Local\Temp\Challenge

MD5 537268e78ee12bfbcc243c56a7d496fc
SHA1 0dfc9eccbddc26e4ae99349cbbabeff3319328ec
SHA256 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee
SHA512 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3

C:\Users\Admin\AppData\Local\Temp\Diet

MD5 7430584ab5031bd1784772da8a706f6e
SHA1 c299c3785cc742b5d224a500048230320b83eea3
SHA256 ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2
SHA512 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4

C:\Users\Admin\AppData\Local\Temp\Cinema

MD5 65570d0c36a8df76f5f0f290652d8832
SHA1 bc5e984dbb5045c6b3ff0e507fe2145644824430
SHA256 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670
SHA512 caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a

C:\Users\Admin\AppData\Local\Temp\Rescue

MD5 6b5b55e3f833053ac81fe00f0e0808f7
SHA1 8334f3338966eed623ab0bce20d3a52c417ee4a9
SHA256 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6
SHA512 c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98

C:\Users\Admin\AppData\Local\Temp\Military

MD5 7ae74abe58a6e55d07374af9c912645f
SHA1 ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3
SHA256 b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8
SHA512 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3

C:\Users\Admin\AppData\Local\Temp\Chicken

MD5 20105d875df6d6c0a9a393613822417f
SHA1 36eea2d5499ab0a814f6352f5adfe0e5941fd221
SHA256 ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43
SHA512 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff

C:\Users\Admin\AppData\Local\Temp\Lucy

MD5 1e19f8b5a5df8835b2c08291a28e2096
SHA1 a2573e83e5d52d4c30fad472131f75c73c666651
SHA256 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba
SHA512 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94

C:\Users\Admin\AppData\Local\Temp\Html

MD5 60ac1993c088722394ffe200673bb477
SHA1 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c
SHA256 ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95
SHA512 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98

C:\Users\Admin\AppData\Local\Temp\Modifications

MD5 ef01a057cc8722790ca29a4ebaa97d06
SHA1 a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc
SHA256 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c
SHA512 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 fb541151b9390f68c6c2401afc2d99c7
SHA1 a31a9d485725a9f86a1867f4f81a58d891a89738
SHA256 ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f
SHA512 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0

C:\Users\Admin\AppData\Local\Temp\Rise

MD5 396d0835e6878f2a72c2104950e072b4
SHA1 27750a5a4cc755abbda70173bad00e7b9d5d7fee
SHA256 b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a
SHA512 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7

C:\Users\Admin\AppData\Local\Temp\Lady

MD5 543168f1d78f27bc1e0a01a41fa841e8
SHA1 3adfd6f137aae243f115727ff34aef34ec4937d2
SHA256 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21
SHA512 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1

C:\Users\Admin\AppData\Local\Temp\Live

MD5 376e677f9a5afdf14a709ae45b3ac489
SHA1 12fcde474c530ae35dbd410374b811c3eeb69dbe
SHA256 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a
SHA512 bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8

C:\Users\Admin\AppData\Local\Temp\Chester

MD5 725acfd693506370739de020e9a887f5
SHA1 45649e96847f624b50ed75515922c1db47fc05da
SHA256 b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84
SHA512 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a

C:\Users\Admin\AppData\Local\Temp\Massive

MD5 a980747d497a8ee2ae7004c77f90733b
SHA1 68a73778039a85f26ae490bb1a53cf6f7f606d09
SHA256 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609
SHA512 f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b

C:\Users\Admin\AppData\Local\Temp\Behavioral

MD5 ebe4b07bfed724aa5becd78901a6fe27
SHA1 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7
SHA256 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e
SHA512 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c

C:\Users\Admin\AppData\Local\Temp\Duplicate

MD5 3bcc0c3847c9a8e1699947169eecb998
SHA1 9eebb699415d3166209f3b3fb86664911aab576d
SHA256 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f
SHA512 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db

C:\Users\Admin\AppData\Local\Temp\Features

MD5 d745691d6cb303d913e41ce5e4b58c7c
SHA1 4d650125002e80e9134f13a50d517371ebb75690
SHA256 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8
SHA512 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb

C:\Users\Admin\AppData\Local\Temp\Si

MD5 718c0e812f72e5bcbec91397f65a077d
SHA1 76068ad0af77a48d664e4b36133f17649b818648
SHA256 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860
SHA512 c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc

C:\Users\Admin\AppData\Local\Temp\Blogger

MD5 378485e10e236ff814d839659433f06d
SHA1 5ae0565d277f6e85f58c8607d0b34db0a416025b
SHA256 aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245
SHA512 e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad

C:\Users\Admin\AppData\Local\Temp\Holy

MD5 2d96b5acce1dec9f12612c247afd1863
SHA1 86a7951ea9243849382c4201407f2def3bc3c04e
SHA256 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035
SHA512 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563

C:\Users\Admin\AppData\Local\Temp\Signing

MD5 13d7a9bf7a6a8ad1d7786ae78a0499ae
SHA1 d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288
SHA256 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8
SHA512 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411

C:\Users\Admin\AppData\Local\Temp\Highlighted

MD5 64b4546e5c30703ec09d37d7b580a5f8
SHA1 32bd68a136801200bc147cfc4e554d63ceb35e80
SHA256 bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328
SHA512 a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67

\Users\Admin\AppData\Local\Temp\57839\Crash.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\57839\j

MD5 6f2a4dfc60f72b9025b045544856516d
SHA1 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3
SHA256 dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea
SHA512 afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9

memory/2696-87-0x0000000000610000-0x00000000007F0000-memory.dmp

memory/2696-88-0x0000000000610000-0x00000000007F0000-memory.dmp

memory/2696-90-0x0000000000610000-0x00000000007F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-02 16:01

Reported

2024-09-02 16:09

Platform

win10v2004-20240802-en

Max time kernel

124s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2184 set thread context of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SurelyCabin C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\NotreNr C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SpectrumNext C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\StayOperating C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\BrokerBaby C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4796 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4796 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 4796 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 4796 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 4796 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4796 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4796 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 2184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Processes

C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 57839

C:\Windows\SysWOW64\findstr.exe

findstr /V "ComicHoRecruitingHabits" Voluntary

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Crash.pif j

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 zRSEpqfcCxtm.zRSEpqfcCxtm udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Expectations

MD5 3281bcef02057c7c42ffc446180035d9
SHA1 b6f03015126215d02e2e0a299af9822df7080a0b
SHA256 a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713
SHA512 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c

C:\Users\Admin\AppData\Local\Temp\Voluntary

MD5 f9eb00df5045603dcd9bd10c9c2de5a6
SHA1 ec9430633bd4833a58c4d5cabdb4bd39115c3fee
SHA256 f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca
SHA512 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402

C:\Users\Admin\AppData\Local\Temp\Convicted

MD5 756ebe860d35cf35959526d533e1547b
SHA1 d739e66da9e6cea11d1df535210ad0dbf1bab2ea
SHA256 f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659
SHA512 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650

C:\Users\Admin\AppData\Local\Temp\Festival

MD5 b7ad3cbdf401b3c7267cfc9711574142
SHA1 e7a0ceb17efd4038a20865e496bd4a5ba19fd77c
SHA256 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78
SHA512 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe

C:\Users\Admin\AppData\Local\Temp\Row

MD5 bf39dfa471c242ee0ce4c1010af5854f
SHA1 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9
SHA256 fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e
SHA512 bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3

C:\Users\Admin\AppData\Local\Temp\Seven

MD5 2edee24053811c6808c917363e0a36b1
SHA1 67335e45423653ceb25fda916f03906c7809ead2
SHA256 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030
SHA512 b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38

C:\Users\Admin\AppData\Local\Temp\Author

MD5 ff664f8979f694400b1973a4c9090640
SHA1 1f14c9bfec66926d43f9fcae51a531af3a1d95c3
SHA256 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355
SHA512 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa

C:\Users\Admin\AppData\Local\Temp\Jersey

MD5 25f618dcd9a958e79913ec30f89f30c9
SHA1 52ce81a9f0d13373257382c67633b3726cd0e919
SHA256 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12
SHA512 c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f

C:\Users\Admin\AppData\Local\Temp\Affecting

MD5 3f0c844167b93ec7fd2697de91790c4b
SHA1 81e9e8c129ef264c7981c49be22fc4f41e504c76
SHA256 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556
SHA512 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 1570a1bee5b357710cc74f60ce825c22
SHA1 c515aeca6d025d65dc191a31755e87f54092acc5
SHA256 bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae
SHA512 cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726

C:\Users\Admin\AppData\Local\Temp\Reductions

MD5 d203f6393a3903aa4d01f3f7f8fbdca1
SHA1 de0f58ca1f059366d86bfeb1ce91c44b60898bc9
SHA256 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd
SHA512 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87

C:\Users\Admin\AppData\Local\Temp\Monte

MD5 5052be6a36baef4bc80fc0a25377991f
SHA1 f4d4d1226128ff8b76a2ff07cddb00132025da58
SHA256 deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952
SHA512 d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5

C:\Users\Admin\AppData\Local\Temp\Nissan

MD5 4c1bf2e085c8294fdca893a02a568d67
SHA1 f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375
SHA256 cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891
SHA512 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4

C:\Users\Admin\AppData\Local\Temp\Download

MD5 e62c9797d10a365321d928e89954a5be
SHA1 612831de5d1cf5ebd90101617d78411cd5571e98
SHA256 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03
SHA512 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0

C:\Users\Admin\AppData\Local\Temp\Complicated

MD5 6762d4e94c1b03d2c784c5fcc6078641
SHA1 3b1b5041616acacd1a3f2af9206dfb8836cbed8c
SHA256 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e
SHA512 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2

C:\Users\Admin\AppData\Local\Temp\Challenge

MD5 537268e78ee12bfbcc243c56a7d496fc
SHA1 0dfc9eccbddc26e4ae99349cbbabeff3319328ec
SHA256 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee
SHA512 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3

C:\Users\Admin\AppData\Local\Temp\Diet

MD5 7430584ab5031bd1784772da8a706f6e
SHA1 c299c3785cc742b5d224a500048230320b83eea3
SHA256 ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2
SHA512 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4

C:\Users\Admin\AppData\Local\Temp\Cinema

MD5 65570d0c36a8df76f5f0f290652d8832
SHA1 bc5e984dbb5045c6b3ff0e507fe2145644824430
SHA256 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670
SHA512 caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a

C:\Users\Admin\AppData\Local\Temp\Rescue

MD5 6b5b55e3f833053ac81fe00f0e0808f7
SHA1 8334f3338966eed623ab0bce20d3a52c417ee4a9
SHA256 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6
SHA512 c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98

C:\Users\Admin\AppData\Local\Temp\Military

MD5 7ae74abe58a6e55d07374af9c912645f
SHA1 ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3
SHA256 b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8
SHA512 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3

C:\Users\Admin\AppData\Local\Temp\Chicken

MD5 20105d875df6d6c0a9a393613822417f
SHA1 36eea2d5499ab0a814f6352f5adfe0e5941fd221
SHA256 ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43
SHA512 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff

C:\Users\Admin\AppData\Local\Temp\Lucy

MD5 1e19f8b5a5df8835b2c08291a28e2096
SHA1 a2573e83e5d52d4c30fad472131f75c73c666651
SHA256 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba
SHA512 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94

C:\Users\Admin\AppData\Local\Temp\Html

MD5 60ac1993c088722394ffe200673bb477
SHA1 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c
SHA256 ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95
SHA512 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98

C:\Users\Admin\AppData\Local\Temp\Modifications

MD5 ef01a057cc8722790ca29a4ebaa97d06
SHA1 a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc
SHA256 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c
SHA512 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 fb541151b9390f68c6c2401afc2d99c7
SHA1 a31a9d485725a9f86a1867f4f81a58d891a89738
SHA256 ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f
SHA512 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0

C:\Users\Admin\AppData\Local\Temp\Rise

MD5 396d0835e6878f2a72c2104950e072b4
SHA1 27750a5a4cc755abbda70173bad00e7b9d5d7fee
SHA256 b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a
SHA512 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7

C:\Users\Admin\AppData\Local\Temp\Lady

MD5 543168f1d78f27bc1e0a01a41fa841e8
SHA1 3adfd6f137aae243f115727ff34aef34ec4937d2
SHA256 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21
SHA512 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1

C:\Users\Admin\AppData\Local\Temp\Live

MD5 376e677f9a5afdf14a709ae45b3ac489
SHA1 12fcde474c530ae35dbd410374b811c3eeb69dbe
SHA256 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a
SHA512 bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8

C:\Users\Admin\AppData\Local\Temp\Chester

MD5 725acfd693506370739de020e9a887f5
SHA1 45649e96847f624b50ed75515922c1db47fc05da
SHA256 b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84
SHA512 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a

C:\Users\Admin\AppData\Local\Temp\Massive

MD5 a980747d497a8ee2ae7004c77f90733b
SHA1 68a73778039a85f26ae490bb1a53cf6f7f606d09
SHA256 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609
SHA512 f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b

C:\Users\Admin\AppData\Local\Temp\Behavioral

MD5 ebe4b07bfed724aa5becd78901a6fe27
SHA1 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7
SHA256 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e
SHA512 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c

C:\Users\Admin\AppData\Local\Temp\Duplicate

MD5 3bcc0c3847c9a8e1699947169eecb998
SHA1 9eebb699415d3166209f3b3fb86664911aab576d
SHA256 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f
SHA512 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db

C:\Users\Admin\AppData\Local\Temp\Features

MD5 d745691d6cb303d913e41ce5e4b58c7c
SHA1 4d650125002e80e9134f13a50d517371ebb75690
SHA256 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8
SHA512 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb

C:\Users\Admin\AppData\Local\Temp\Si

MD5 718c0e812f72e5bcbec91397f65a077d
SHA1 76068ad0af77a48d664e4b36133f17649b818648
SHA256 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860
SHA512 c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc

C:\Users\Admin\AppData\Local\Temp\Holy

MD5 2d96b5acce1dec9f12612c247afd1863
SHA1 86a7951ea9243849382c4201407f2def3bc3c04e
SHA256 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035
SHA512 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563

C:\Users\Admin\AppData\Local\Temp\Blogger

MD5 378485e10e236ff814d839659433f06d
SHA1 5ae0565d277f6e85f58c8607d0b34db0a416025b
SHA256 aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245
SHA512 e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad

C:\Users\Admin\AppData\Local\Temp\Highlighted

MD5 64b4546e5c30703ec09d37d7b580a5f8
SHA1 32bd68a136801200bc147cfc4e554d63ceb35e80
SHA256 bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328
SHA512 a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67

C:\Users\Admin\AppData\Local\Temp\Signing

MD5 13d7a9bf7a6a8ad1d7786ae78a0499ae
SHA1 d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288
SHA256 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8
SHA512 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\57839\j

MD5 6f2a4dfc60f72b9025b045544856516d
SHA1 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3
SHA256 dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea
SHA512 afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9

memory/4512-84-0x0000000001260000-0x0000000001440000-memory.dmp

memory/4512-85-0x0000000001260000-0x0000000001440000-memory.dmp

memory/4512-87-0x0000000001260000-0x0000000001440000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-02 16:01

Reported

2024-09-02 16:09

Platform

win11-20240802-en

Max time kernel

240s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 492 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\NotreNr C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SpectrumNext C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\StayOperating C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\BrokerBaby C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
File opened for modification C:\Windows\SurelyCabin C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1828 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1828 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 1828 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 1828 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 1828 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1828 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1828 wrote to memory of 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif
PID 492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Processes

C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\power systems ii.pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Expectations Expectations.bat & Expectations.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 57839

C:\Windows\SysWOW64\findstr.exe

findstr /V "ComicHoRecruitingHabits" Voluntary

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Festival + ..\Row + ..\Seven + ..\Author + ..\Jersey + ..\Affecting + ..\Explanation + ..\Reductions + ..\Monte + ..\Nissan + ..\Download + ..\Complicated + ..\Challenge + ..\Diet + ..\Cinema + ..\Rescue + ..\Military + ..\Chicken + ..\Lucy + ..\Html + ..\Modifications + ..\Savage + ..\Rise + ..\Lady + ..\Live + ..\Chester + ..\Massive + ..\Behavioral + ..\Duplicate + ..\Features + ..\Si + ..\Blogger + ..\Holy + ..\Signing + ..\Highlighted j

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Crash.pif j

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 zRSEpqfcCxtm.zRSEpqfcCxtm udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 104.26.9.59:443 api.myip.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Expectations

MD5 3281bcef02057c7c42ffc446180035d9
SHA1 b6f03015126215d02e2e0a299af9822df7080a0b
SHA256 a09bfd463231d947d05075be36ab7bf17df215973c35f8de0cfa7bb8497bc713
SHA512 2dd9821ce87a7e17a9a1d0546873ed2f8c0ceab314b10d1b71c95be2f209cc60c265b2cd6aba1ba1e694a7d709b7028c7f11cccd0e7bf555825ddfc69a78458c

C:\Users\Admin\AppData\Local\Temp\Voluntary

MD5 f9eb00df5045603dcd9bd10c9c2de5a6
SHA1 ec9430633bd4833a58c4d5cabdb4bd39115c3fee
SHA256 f4c33fe43545336d8214df342721358940b2931733e1e495171b16eec3eaf3ca
SHA512 1f48845c174f306cf96400a2c7a200729529726f92a4c433ba07d07dace7a9394a5fa165824e69b3ef16a7bfa1f4ddb56c5377f76a00d927ddd4ffd0ef8bb402

C:\Users\Admin\AppData\Local\Temp\Convicted

MD5 756ebe860d35cf35959526d533e1547b
SHA1 d739e66da9e6cea11d1df535210ad0dbf1bab2ea
SHA256 f9ad895cd4e1daa5469ad8f10da51ce8bc7761bcaf1bfd1a1b859617bd5f9659
SHA512 264cdb50d5fe76edf63825abb9cbf671182b985ff2a08cfb2bc762ea48e0bd5a9bc6c83473b2e468e3dd5536c4a34a14f79d3685f85c7a4353bfaf6692859650

C:\Users\Admin\AppData\Local\Temp\Festival

MD5 b7ad3cbdf401b3c7267cfc9711574142
SHA1 e7a0ceb17efd4038a20865e496bd4a5ba19fd77c
SHA256 643138ec5dc886e6bf8814b20e79755508d431fdb30b09bfcfe9c151a067ae78
SHA512 735f0ace87cf5da6764c5ba585841c5551c45bd1e4c1e80cb9bb85fb5409a5c25aa13270a906e3cc6bafabdd2ef49b057653b9492c6d0c40564e99ae38b3cbbe

C:\Users\Admin\AppData\Local\Temp\Row

MD5 bf39dfa471c242ee0ce4c1010af5854f
SHA1 7f50ac6e3939dde82d92b5c60ec2a724a8d840b9
SHA256 fbf43408da62b58fb3f45239076f92258d9c93a1cea87ac5c194be668426195e
SHA512 bf94e13970fac6c98370cad29986a635283652de4fd7cf84b451343427cf4ad97d9b1185cccf780fbbcd7c9eeda49d67372ac81630e3c9b353ad2a0412bcb9d3

C:\Users\Admin\AppData\Local\Temp\Seven

MD5 2edee24053811c6808c917363e0a36b1
SHA1 67335e45423653ceb25fda916f03906c7809ead2
SHA256 80bda82b089599eca38f145957fd0c552994c6b5ea7f3084ad3bbf7f2805c030
SHA512 b2649bf558570da468baeb7654c66915253d70e9ce7595e0b10a8cb04af75e38986ad68b16f581ea79f54c5a4d5d06f51b13cd6c3b9f1eef16bffedfef965c38

C:\Users\Admin\AppData\Local\Temp\Author

MD5 ff664f8979f694400b1973a4c9090640
SHA1 1f14c9bfec66926d43f9fcae51a531af3a1d95c3
SHA256 2944dfefe3123e84dae7deeb3d25353cb4691926a8ef10de80ace2a194e5a355
SHA512 665bfa47c037d22edbd1d17947eb25842928ef52a637bec755f843bc7ecbf99f43d804931c0ad1cf567f700461d02dfb55025f60207e9e6c20d3a13b2832feaa

C:\Users\Admin\AppData\Local\Temp\Jersey

MD5 25f618dcd9a958e79913ec30f89f30c9
SHA1 52ce81a9f0d13373257382c67633b3726cd0e919
SHA256 859989af71529799e5dae9275b104e8c45b8fa37176f969047151687c3b3ea12
SHA512 c477e402556045035f3028994fdeffed31f78a787a9dbadccdcc7862d03d234902170559a3fc8929fe4a59fb61279881c6c1f2b7d6870f97c3d9b346e3aafd7f

C:\Users\Admin\AppData\Local\Temp\Affecting

MD5 3f0c844167b93ec7fd2697de91790c4b
SHA1 81e9e8c129ef264c7981c49be22fc4f41e504c76
SHA256 43dc4eb4d4b1b5be602976c3e6675285b0056fd6c0dd676362f4d026325b0556
SHA512 54b72f71637cbcb159c0aaff33ddd6384aefe33bba50fe75c431051dbdda0e6ca83503678635cdabfeabaa11aea0a4c175b9acb48d926e03b7afe2133d269ef4

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 1570a1bee5b357710cc74f60ce825c22
SHA1 c515aeca6d025d65dc191a31755e87f54092acc5
SHA256 bdf3713418777ec674408cd3f62ab56e09a2467f1a5f78e8f078f4ef3ecab7ae
SHA512 cddcd3363f1975f0d6118cef40c9464d87f5f8eaba62e8d79da2fc60f5ce7148ffbdc90b60d020e2e78ef3e8c57eff7c9e75dd23295d31354997ce277646c726

C:\Users\Admin\AppData\Local\Temp\Reductions

MD5 d203f6393a3903aa4d01f3f7f8fbdca1
SHA1 de0f58ca1f059366d86bfeb1ce91c44b60898bc9
SHA256 56362c14415b381c1e869e4fdc88e02945c5560ecb8e4fb877c6afc9e86479dd
SHA512 4fef97dfc0a70679005c56d9b3a541ce8f36460f667769f48e84b2313f7f6c02c35ce5b5a909778afd2c89e8e7af487d8d0db8adb415ae63aad888e5e167fa87

C:\Users\Admin\AppData\Local\Temp\Monte

MD5 5052be6a36baef4bc80fc0a25377991f
SHA1 f4d4d1226128ff8b76a2ff07cddb00132025da58
SHA256 deca9a2ea25ed74c437cf2de09db4487235dad8aa66ba9b61829ed4984c10952
SHA512 d651ec799bd503f4bb542a57135ac87f1901b636103054d7b4d57002d80ef866fe815825af314ba621b164d08524475086c06df987c480b2bfe2b2c687cc81e5

C:\Users\Admin\AppData\Local\Temp\Nissan

MD5 4c1bf2e085c8294fdca893a02a568d67
SHA1 f0f6b045c8b13b1684c3ab44ebc9a7fc16bfb375
SHA256 cd21acc319a788cb924a5a471d00199f414aa5c08e2f0bc6e8b1cc27b5e96891
SHA512 2c709bbdc03236416ee76a86d18454a405d9e820de671b749b05509e7a1e1777c18c6e7cf37ec3aa3e0c419baef71f1b240b7667554cd14a594f1b0cf73f83f4

C:\Users\Admin\AppData\Local\Temp\Complicated

MD5 6762d4e94c1b03d2c784c5fcc6078641
SHA1 3b1b5041616acacd1a3f2af9206dfb8836cbed8c
SHA256 05dc4d855281f909f9283f5509e6d73c3d48649be7d089555e69f371fdd71a0e
SHA512 0ef26c4dcb68dbfeafa254a82286d23403c44d1f21a5b2d677cb3ecefa55b28084afeb6e8bedac80360c34e03846a1562e9d7ef072670a7be62f9209a29475a2

C:\Users\Admin\AppData\Local\Temp\Download

MD5 e62c9797d10a365321d928e89954a5be
SHA1 612831de5d1cf5ebd90101617d78411cd5571e98
SHA256 565c1e4052237777bf85e359f87a57ad8291017062300e5f677f9d3d77767e03
SHA512 7c45ba8873a2647ba73d9fe3aff724051e9da73cb12bebce844fe66140b8493fab661f4c88bf89c1cbeed7e35f8744b679910e3a66aae7933f38aa4230bc1eb0

C:\Users\Admin\AppData\Local\Temp\Challenge

MD5 537268e78ee12bfbcc243c56a7d496fc
SHA1 0dfc9eccbddc26e4ae99349cbbabeff3319328ec
SHA256 2606d23c85faa7cd6392ca4e1988da60c712c824636e8a3a438ab189798cb6ee
SHA512 4ac82bd876c1530906ecff0bafa09160de3512e9f5acecf3a005a68b1e273ea035d9411b00d06fb7e26e36d82ff3acd6eea86ece56543ab42f00256d76697ca3

C:\Users\Admin\AppData\Local\Temp\Diet

MD5 7430584ab5031bd1784772da8a706f6e
SHA1 c299c3785cc742b5d224a500048230320b83eea3
SHA256 ae0f89dedfc06a686fc283b53fa77b42d07360149a6becf05b134b08bce462e2
SHA512 82ba15f997e3b62287cb56138606d930e1d77ebc9a338252cc5f353df4e4361f7a96347580131ea23d651225c72945e44b18d3cd596ca5df7ccd81d9069daca4

C:\Users\Admin\AppData\Local\Temp\Cinema

MD5 65570d0c36a8df76f5f0f290652d8832
SHA1 bc5e984dbb5045c6b3ff0e507fe2145644824430
SHA256 0161abe58652bc8e36803ec78070a18a07c59ba6cd05388923b05a88010f2670
SHA512 caa736077b30d0c819eafd31696a35681bb7afb1103e77597a6339b133874e80464bbf8db342a3661d59b5ec6802f2f5b0a3550e884155be00b1f4f30920ed8a

C:\Users\Admin\AppData\Local\Temp\Rescue

MD5 6b5b55e3f833053ac81fe00f0e0808f7
SHA1 8334f3338966eed623ab0bce20d3a52c417ee4a9
SHA256 78ba5a3d96aeae98ea4b0b6a63ffc16b8f19438f2f2158580e2a77876e65efd6
SHA512 c7b7198b802bbb514d6b05436b118398fdf94c972a3c6d3ee2e5a9a06c1db97faaea3e0caad2ba85a7fd1d2b77234a559436e8c1d1c300571dbbff9a8a6afe98

C:\Users\Admin\AppData\Local\Temp\Military

MD5 7ae74abe58a6e55d07374af9c912645f
SHA1 ec6f11d0d01ce721ed11ad3739664c44e7b6e2e3
SHA256 b1801346bba35b4cd849cec9b51db802f9e4d2c8d287dfa95352851437f75ff8
SHA512 73e3e8e341d80c529e38de72962b0abf1a70ae4d0da1f149fc3828cdd3a40c561ab490a9a3177c879dbf6136e6cbac139cf84c06b3ff157d5cba8e069f5830b3

C:\Users\Admin\AppData\Local\Temp\Lucy

MD5 1e19f8b5a5df8835b2c08291a28e2096
SHA1 a2573e83e5d52d4c30fad472131f75c73c666651
SHA256 6a5656e3112e2725b03726a0837bf7ac9614a904ed4bd863fc03f48bf391d3ba
SHA512 65c04cb91f337c076c8bd58298ca32b41c9a58f6733bddd9ba21e6cd36c63c12d4dc9c3234499ec2f4a053f3a5e373d8c3abb4919d139ead3a21507a886d5a94

C:\Users\Admin\AppData\Local\Temp\Chicken

MD5 20105d875df6d6c0a9a393613822417f
SHA1 36eea2d5499ab0a814f6352f5adfe0e5941fd221
SHA256 ca36b84ae853fe9d1c5051e02ff25123d4064c8a6a20d068bd41abc612ee3d43
SHA512 092cf321346c059926d1f84133ec84fa489fe44880c43eb003eee8a58883178176acef29828c50ac0b9af768d22ddaf59df33e1e0f35cafcf14e3286974765ff

C:\Users\Admin\AppData\Local\Temp\Html

MD5 60ac1993c088722394ffe200673bb477
SHA1 4bf6dbf1672272cc12ee9c66280ac15eb6621c0c
SHA256 ca3292f4a30d8fc1d5a4aa8d726b5ebcc15c4fcfd05c557c0f90408a398eee95
SHA512 14adc777d65092b48eb1d55e9ec898240fbfc24f13f64734e814457fe2e3f5a7d4a32e4e55299b3638f5308209f28c6ef4e08b70b67107af6ae3106cae0dfd98

C:\Users\Admin\AppData\Local\Temp\Modifications

MD5 ef01a057cc8722790ca29a4ebaa97d06
SHA1 a28e9c67b9b6af98c5aedcdde7d954ba95edd3fc
SHA256 7b9dc5b21229b4ab7c42966692edb6b3c586d3bfc44ea84717ba02247b697c5c
SHA512 214fafd0f54657e56848454b14d99e740726e3b9252c29156650d8d4010632246e3012c28cad9a6554f9be5a929761da78626ec8ebf5dc7500d5b6eb466f733e

C:\Users\Admin\AppData\Local\Temp\Savage

MD5 fb541151b9390f68c6c2401afc2d99c7
SHA1 a31a9d485725a9f86a1867f4f81a58d891a89738
SHA256 ea1b11937d5d91b042394afd21d659a187562800c404ddeb22b9dc112d5de57f
SHA512 5de0e63460d3e7073bae1a1c5caae32e8d8e2bd9ac03ad1f396f24697c451167e3d969f1f0716c1afc224c54556eae522f26dff69d4839dcf0743dbc3899dcf0

C:\Users\Admin\AppData\Local\Temp\Rise

MD5 396d0835e6878f2a72c2104950e072b4
SHA1 27750a5a4cc755abbda70173bad00e7b9d5d7fee
SHA256 b2345ac87d9c2c91dc78b75ce32e6faf57589c483be6c5a7b6cd88a51ac9366a
SHA512 1ed8fce8ab64f9599b7342e8d9ea275bab23d4a13b02230cafcd82d6110bcc7b8e4f708c8e4e6597efb9621b6368ba9b4e84da7cff931855dee81b4ba0d9abe7

C:\Users\Admin\AppData\Local\Temp\Lady

MD5 543168f1d78f27bc1e0a01a41fa841e8
SHA1 3adfd6f137aae243f115727ff34aef34ec4937d2
SHA256 1eecb6117a45ec6408ded2ba9e158a6dcfd5ce70bec186b3fce18c2b554e6d21
SHA512 54c7c0070bd4167f8185915dffbd37c9cc28772a277a4f150ddb9e8cd79fd7c715b386986cd4e6d905c37305338c1bda6841fa5e1ca85fc6ee285532dd4005f1

C:\Users\Admin\AppData\Local\Temp\Live

MD5 376e677f9a5afdf14a709ae45b3ac489
SHA1 12fcde474c530ae35dbd410374b811c3eeb69dbe
SHA256 742701e67824acdab99ab8b17deaaa4323ac3eb497394732811d0f37843bd09a
SHA512 bb2e48d6858574e45033e76f6a48f5009b77a7c0502e4f32fb7097a8223362c8987323e4ec8e69b934aa6aa27ca60aca50efe4a70fe62ca9001fe1f693f1bcd8

C:\Users\Admin\AppData\Local\Temp\Chester

MD5 725acfd693506370739de020e9a887f5
SHA1 45649e96847f624b50ed75515922c1db47fc05da
SHA256 b6c3d34fa004d32a8f12e419c3f6a9bd193d4414d67f10ebda3a15422da28b84
SHA512 89fdf5041b46c186a7149f924f763382e9f05264aed78a935f45244f3ab305ca4e5c3434af75d397342ea1d9e5be03a9f0c11c4f6cd000ed22d0ae977f78899a

C:\Users\Admin\AppData\Local\Temp\Massive

MD5 a980747d497a8ee2ae7004c77f90733b
SHA1 68a73778039a85f26ae490bb1a53cf6f7f606d09
SHA256 29c12fbc9d853a8ae13d605dd64e5694fed70d8693e44d159a9e790624e14609
SHA512 f584cd150da0805f01386647ba672c21e51a26be4c59a606942701cbd19a50fc6619536dbcf4d627d9867a034b0795e9395346f4bd720cc2b2e7f7de57a40d2b

C:\Users\Admin\AppData\Local\Temp\Behavioral

MD5 ebe4b07bfed724aa5becd78901a6fe27
SHA1 5e8dd44ceac3ed195bfa3d1bb101c44f32e80be7
SHA256 6668a6a7cd543d7c205c03f284951e8ea92c28ac73d87e70f75055473897426e
SHA512 8dc0ed93474503a068ab6bad2b59f84bfc0117a8ed81d56f0b02d8f7c96813b813bf2c464b00fb8088eb2e1c5182eb0a1e7ef90d57081292f3abd8099b3d460c

C:\Users\Admin\AppData\Local\Temp\Duplicate

MD5 3bcc0c3847c9a8e1699947169eecb998
SHA1 9eebb699415d3166209f3b3fb86664911aab576d
SHA256 61c57cf3c141dcc23165abefcbe0eb26f80538c03b47de7f6e7199aa5f40ae1f
SHA512 5ddf19bc6cc34e29f08f32b3b9093eed0846c7bd88b34a49cd159f139541f9e16b2375ac6282fc2497fc530bcf0b39325cf46f46e2bd10c19bd7bc34f80fa5db

C:\Users\Admin\AppData\Local\Temp\Features

MD5 d745691d6cb303d913e41ce5e4b58c7c
SHA1 4d650125002e80e9134f13a50d517371ebb75690
SHA256 73ffb9ea8910ea475edb0a552409388109572d989cf03ab6a5c0a661e13849e8
SHA512 38217f947ae0348a2ce079bd8086fd276cc3b5ace0bcb1f3d9793f9c939eea9ae1498788c49772472128c17dd5e63a25cb1b75ad8cee12497358442b48a1fedb

C:\Users\Admin\AppData\Local\Temp\Si

MD5 718c0e812f72e5bcbec91397f65a077d
SHA1 76068ad0af77a48d664e4b36133f17649b818648
SHA256 8f9840ba9841a3a0df66883c1b2063f2252ef739d0ba2326de6162a7c510a860
SHA512 c8c3b178828562df41f03cead119f330c20009e9c373bb95e78e7c49c39c1a74e11583974facb5198d6277aadf644446691202a3ea084d4c3facc8208fc917cc

C:\Users\Admin\AppData\Local\Temp\Blogger

MD5 378485e10e236ff814d839659433f06d
SHA1 5ae0565d277f6e85f58c8607d0b34db0a416025b
SHA256 aee4aa79a81b1f35f9453ad64d7a5913a87cdd44eadbd17648f0be9a530f7245
SHA512 e81a362ea8a4e5a2ef9b112cbaf581094a992b1a6f31464f60b60828e22284d44374fd6607ec5378fb8deb0d88cc853c2dbbce5fdff38a4ae991fc49f65523ad

C:\Users\Admin\AppData\Local\Temp\Holy

MD5 2d96b5acce1dec9f12612c247afd1863
SHA1 86a7951ea9243849382c4201407f2def3bc3c04e
SHA256 5b07743f4c23ea6b6a2bae967d7e556b0be8afbf3513a90e42944e38da1e3035
SHA512 5dbf9f3ff88f3b98b1b562c996f4406254cdf697cbbeb4d95e5374248f8cdb5ab3b5fb1b622546dc3488e911bafd255c82a8f836bc3d2c02e4b0371991647563

C:\Users\Admin\AppData\Local\Temp\Signing

MD5 13d7a9bf7a6a8ad1d7786ae78a0499ae
SHA1 d76aa87f901d3ccf0838fff7a49e9f8b1bdc5288
SHA256 5a5f6dab597d2edf2f36671cc2e7973d649a7e182a36be32581b586af2d8a0f8
SHA512 38da7f8760ca8677bfd87dd2ed64fd1be84c9336268eade2985f24bd7099dab6046c25b636e4ca29417c0236b0e2e42f2beb1cacbfbe22bc2d444f6d9fe03411

C:\Users\Admin\AppData\Local\Temp\Highlighted

MD5 64b4546e5c30703ec09d37d7b580a5f8
SHA1 32bd68a136801200bc147cfc4e554d63ceb35e80
SHA256 bdd93c57d2d6f02a7402eac7517db0d4a58390d01d74443668260436d0af5328
SHA512 a28cbd7438b6abc438cba05e11251037193a1b0b77846cc960ff6d6fde83c4f262a002fef6402caba68083fb0d7bca97bdd9241979a4de1957aebb8267087d67

C:\Users\Admin\AppData\Local\Temp\57839\Crash.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\57839\j

MD5 6f2a4dfc60f72b9025b045544856516d
SHA1 88b8695b7b9abe8531fbbc10ed1c3c34549a83c3
SHA256 dc6a0f03e2e81bbc16caeaec1595d7c18fcda70d1bb6bb3198076d3494e895ea
SHA512 afb3fcec8edda5a4f4dacff719874420d31307006009d20259051adf1ecd68e40420cf0254924c6b8c4754ed4d66c202244baef0649fc1ece1f3ac08b99b2da9

memory/2468-84-0x0000000001680000-0x0000000001860000-memory.dmp

memory/2468-85-0x0000000001680000-0x0000000001860000-memory.dmp

memory/2468-87-0x0000000001680000-0x0000000001860000-memory.dmp