Malware Analysis Report

2024-10-23 17:18

Sample ID 240908-n6lj3sxcmf
Target advanced_systemcare_pro_v17.6.0.322___fix.zip
SHA256 beda3334ba514f8b961f01e1b5e1ce651304658046267f502c520b5bba387889
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

beda3334ba514f8b961f01e1b5e1ce651304658046267f502c520b5bba387889

Threat Level: Shows suspicious behavior

The file advanced_systemcare_pro_v17.6.0.322___fix.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 12:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 12:00

Reported

2024-09-08 12:10

Platform

win10-20240611-ja

Max time kernel

307s

Max time network

324s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4504 set thread context of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1036 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1036 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1036 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1036 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1036 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1036 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1036 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4504 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 4504 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 4504 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 4504 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 4504 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
NL 62.133.61.172:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 185.143.223.148:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/3912-78-0x0000000000A30000-0x0000000000C0F000-memory.dmp

memory/3912-79-0x0000000000A30000-0x0000000000C0F000-memory.dmp

memory/3912-81-0x0000000000A30000-0x0000000000C0F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-08 12:00

Reported

2024-09-08 12:10

Platform

win10v2004-20240802-ja

Max time kernel

156s

Max time network

292s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5736 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 5736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 228 wrote to memory of 5736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 228 wrote to memory of 5736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 228 wrote to memory of 5660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 228 wrote to memory of 5660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 228 wrote to memory of 5660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5736 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 5736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 185.143.223.148:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/2928-80-0x0000000000A00000-0x0000000000BDF000-memory.dmp

memory/2928-81-0x0000000000A00000-0x0000000000BDF000-memory.dmp

memory/2928-83-0x0000000000A00000-0x0000000000BDF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 12:00

Reported

2024-09-08 12:10

Platform

win7-20240903-ja

Max time kernel

304s

Max time network

320s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1884 set thread context of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2828 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2828 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2828 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2828 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1884 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
US 185.143.223.148:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/1764-81-0x00000000009B0000-0x0000000000B8F000-memory.dmp

memory/1764-82-0x00000000009B0000-0x0000000000B8F000-memory.dmp

memory/1764-84-0x00000000009B0000-0x0000000000B8F000-memory.dmp