Malware Analysis Report

2024-10-19 02:39

Sample ID 240908-pfhwyaxgme
Target advanced_systemcare_pro_v17.6.0.322___fix.zip
SHA256 beda3334ba514f8b961f01e1b5e1ce651304658046267f502c520b5bba387889
Tags
cryptbot stealc xmrig rave credential_access discovery evasion execution miner persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

beda3334ba514f8b961f01e1b5e1ce651304658046267f502c520b5bba387889

Threat Level: Known bad

The file advanced_systemcare_pro_v17.6.0.322___fix.zip was found to be: Known bad.

Malicious Activity Summary

cryptbot stealc xmrig rave credential_access discovery evasion execution miner persistence spyware stealer

CryptBot

xmrig

Stealc

Credentials from Password Stores: Credentials from Web Browsers

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Power Settings

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 12:16

Reported

2024-09-08 12:23

Platform

win7-20240903-it

Max time kernel

247s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

CryptBot

spyware stealer cryptbot

Stealc

stealer stealc

xmrig

miner xmrig

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api64.ipify.org N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\8W99i8_LXC9b24aDYLYOdshI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2736 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2604 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 1760 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe
PID 1760 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe
PID 1760 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe
PID 1760 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe
PID 1760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe
PID 1760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe
PID 1760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe
PID 1760 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe
PID 1760 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe
PID 1760 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe
PID 1760 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe
PID 1760 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe

C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe

C:\Users\Admin\Documents\iofolko5\q45AMX8aGmED5E7PV72Ele5X.exe

C:\Users\Admin\Documents\iofolko5\q45AMX8aGmED5E7PV72Ele5X.exe

C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe

C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe

C:\Users\Admin\Documents\iofolko5\8W99i8_LXC9b24aDYLYOdshI.exe

C:\Users\Admin\Documents\iofolko5\8W99i8_LXC9b24aDYLYOdshI.exe

C:\Users\Admin\Documents\iofolko5\9mM4kGnjVWzIsXKJjZWSlAKH.exe

C:\Users\Admin\Documents\iofolko5\9mM4kGnjVWzIsXKJjZWSlAKH.exe

C:\Users\Admin\Documents\iofolko5\mMGY4INzLjEQr8m11DXhw_7u.exe

C:\Users\Admin\Documents\iofolko5\mMGY4INzLjEQr8m11DXhw_7u.exe

C:\Users\Admin\Documents\iofolko5\fJP7JYDLDMolweijM6NxSAGL.exe

C:\Users\Admin\Documents\iofolko5\fJP7JYDLDMolweijM6NxSAGL.exe

C:\Users\Admin\Documents\iofolko5\rtI_AO4vIAWGqyyznBrGmhJC.exe

C:\Users\Admin\Documents\iofolko5\rtI_AO4vIAWGqyyznBrGmhJC.exe

C:\Users\Admin\Documents\iofolko5\a_9CAfablqicxu2vh9wg8qh8.exe

C:\Users\Admin\Documents\iofolko5\a_9CAfablqicxu2vh9wg8qh8.exe

C:\Users\Admin\AppData\Local\Temp\is-IGF95.tmp\8W99i8_LXC9b24aDYLYOdshI.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IGF95.tmp\8W99i8_LXC9b24aDYLYOdshI.tmp" /SL5="$501CC,3407280,682496,C:\Users\Admin\Documents\iofolko5\8W99i8_LXC9b24aDYLYOdshI.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "RRTELIGS"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "RRTELIGS" binpath= "C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "RRTELIGS"

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\ProgramData\ejitkpfdxvzt\orpqcnvisucm.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

"C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe"

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

"C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe"

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

"C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe"

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

"C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe"

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

"C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
NL 62.133.61.172:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 klikercentar.rs udp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
RU 31.41.244.9:80 31.41.244.9 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
NL 85.17.28.85:80 klikercentar.rs tcp
RU 176.111.174.109:80 176.111.174.109 tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.61:80 file-link-iota.vercel.app tcp
NL 85.17.28.85:80 klikercentar.rs tcp
US 76.76.21.61:80 file-link-iota.vercel.app tcp
NL 85.17.28.85:80 klikercentar.rs tcp
NL 85.17.28.85:80 klikercentar.rs tcp
US 76.76.21.61:80 file-link-iota.vercel.app tcp
NL 85.17.28.85:80 klikercentar.rs tcp
NL 85.17.28.85:80 klikercentar.rs tcp
US 76.76.21.61:80 file-link-iota.vercel.app tcp
NL 85.17.28.85:80 klikercentar.rs tcp
NL 85.17.28.85:80 klikercentar.rs tcp
US 76.76.21.61:443 file-link-iota.vercel.app tcp
NL 85.17.28.85:443 klikercentar.rs tcp
NL 85.17.28.85:443 klikercentar.rs tcp
US 76.76.21.61:443 file-link-iota.vercel.app tcp
US 76.76.21.61:443 file-link-iota.vercel.app tcp
US 76.76.21.61:443 file-link-iota.vercel.app tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
RU 185.215.113.103:80 185.215.113.103 tcp
US 8.8.8.8:53 tventyv20sb.top udp
RU 194.87.248.136:80 tventyv20sb.top tcp
US 8.8.8.8:53 pool.hashvault.pro udp
CZ 46.8.231.109:80 46.8.231.109 tcp
DE 45.76.89.70:443 pool.hashvault.pro tcp
CZ 46.8.231.109:80 46.8.231.109 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/1760-81-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-82-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-84-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-85-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-94-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-95-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-96-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-93-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-92-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-91-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-90-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-89-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-88-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-87-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-86-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-100-0x0000000000530000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA508.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1760-115-0x0000000000530000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA578.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69808bf6687db2a7924908fcb92a5ddf
SHA1 1674cb8bf92b9f5f9cec34c1d886509861879025
SHA256 864ede3e2aa3740d638d7163afde3230ecdfd746c2db751490860858ba9af844
SHA512 e051d44703589ba43d65c55aeab34b4f5b7f4261a3b3f4864312b9570591da19b0e708dd49d7ac6ffb79a17d8b918dc74cdf4a707d5bc758abc94514aace6a11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a16c2f3e651792fc733bf619685109f
SHA1 77f6a35c803262e4533084ea47740777860b99b7
SHA256 328f8a2a96b8228dc5858ccdf4653e66a97e80683b869116710cd0c3b54354ed
SHA512 8bed8148e63e92d929000d86de1099972311260eeba1627a21f002f5faf9e4c44b09138cd414d0b9eb613e7c761eb8c07ade9fd0334b168a6a92425f63925cf2

C:\Users\Admin\Documents\iofolko5\q45AMX8aGmED5E7PV72Ele5X.exe

MD5 b8010780cbccba9ec2e20d7b3c17c6be
SHA1 30904082c6866796d664f0042780207c5fcf59ba
SHA256 49c25f225e9c5a3ffb651a2ede3505b0faccfbef4f43652d7321388ce6c4b864
SHA512 a98c9acbb1be1802ab2b430fee7aaf0db166ca3dc25b728c6da7535ce884f9dfbef63f45cac55f4ed208630da8f587378ddf5504e5479b85eec62e4d84460205

C:\Users\Admin\Documents\iofolko5\fJP7JYDLDMolweijM6NxSAGL.exe

MD5 7e860c83b7eadf2a7a29532989114348
SHA1 09ba0c509d195b996473bdfb258ad58f2244110d
SHA256 ea05721fe80699844c2f72d86f0c8337da028c190fe3b62a29a85a25cdbacc4b
SHA512 842a0e4f0fc68f8ab30f16efd0e5137afa9af4c5c04eb18e8410ee9a35a15b5f724d82773136438fc30ce4dfc4bd5a892ce8b603c23995aea916b1edccb08ed8

C:\Users\Admin\Documents\iofolko5\ukaVltQ8menxUruYKcHrP1_V.exe

MD5 a8fef7b198fa122ead5bcf5b84f2737b
SHA1 00ac0d1d6354ba397ea4d69265ed227817a29d8f
SHA256 798773e476a288869b80bc5b3029f754a5b890cd02b2dedfbb8e9d4aecc39f30
SHA512 acf483ef4846e1bff039c615eca505547e3739c979a6ecf08bda31869d69c3b71dcbdab045ac28bfcd5bd8bc92201fd5841b54c48ccb39986b712a99f8ef7d3b

C:\Users\Admin\Documents\iofolko5\9mM4kGnjVWzIsXKJjZWSlAKH.exe

MD5 fa83f4ae62d48810263319d553e0f069
SHA1 d44eb95449dd0a9f481f24e692805ca0bd7fa210
SHA256 880e15a83300fb413a5126b9dcd55af3fdeee3988254270e623ab873a8f8441d
SHA512 bedbab4b5ac159bf1bd3c39d030a63091db2a55c0183e3d4e12f41dbd0447bb4f1f5cbeb8e81d0e4ebf3979cdb39f67bd7ad054cb482535455925680f3dabee1

C:\Users\Admin\Documents\iofolko5\mMGY4INzLjEQr8m11DXhw_7u.exe

MD5 7e31c0151d87b970d6745530b7c60c37
SHA1 4b5443646ed2c6ddca9228d7e7541f8479d2d46e
SHA256 a99ea32d7e79ad11a87ea80d8d4f0aea20f3397122d99ef5e6dc7f286f20111f
SHA512 f3c1750cd16239887f5f51fb507d56e9f45622c16213b086ec36d432fe4bfda03919f947d3982fdb2cb9eb2282c9473be7714df1965f1e418d64ae92490e4a5f

C:\Users\Admin\Documents\iofolko5\s_A5z4axqZd9NtnDuzNMRWRK.exe

MD5 b5887a19fe50bfa32b524aaad0a453bc
SHA1 cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256 fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA512 5b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538

C:\Users\Admin\Documents\iofolko5\a_9CAfablqicxu2vh9wg8qh8.exe

MD5 079d166295bafa2ab44902c8bf5ff2a5
SHA1 46e728a035c3fd9618f823a5d0b525a9aa22e1c1
SHA256 dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8
SHA512 949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

C:\Users\Admin\Documents\iofolko5\P6t8U9_8x096nbgrh7gBWIGt.exe

MD5 751e3d161454b4c4aa4cf9ff902ebe1c
SHA1 25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256 7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
SHA512 3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435

C:\Users\Admin\Documents\iofolko5\rtI_AO4vIAWGqyyznBrGmhJC.exe

MD5 cb5ad18649a907f49154af26ad332030
SHA1 46acabf085b42f39bf085432ce436a2d895d8dad
SHA256 8874ee4d9c878a6dc7f2681ec36df05cb09c44ccb3be0ec89569f5bdece80519
SHA512 36363dde451354f6e87ee48a2b68a55cec92887a49e40844141e60ff9374b694aa6a3225a20dfb3f496d1fe0ebf6be7551adf1109ae037dfa80ad7387a19cd8c

C:\Users\Admin\Documents\iofolko5\8W99i8_LXC9b24aDYLYOdshI.exe

MD5 d3ce98f478bccae83775d7ce4a8a3a94
SHA1 615e14898ae7ee4d09907045c4ed1a4909da4515
SHA256 4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b
SHA512 d362019a836c8229027a1ad09ab9329aa819826b7adbcd580f4f5bde9a24c7748d1e6c2136480079fad5d5788dd097d55d1b5f05e921dcebb7ba97641b121a6c

memory/1760-279-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-275-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-334-0x0000000005270000-0x0000000005909000-memory.dmp

memory/1760-333-0x0000000005270000-0x0000000005909000-memory.dmp

memory/2252-329-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/1760-302-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1276-338-0x0000000000DF0000-0x0000000001489000-memory.dmp

memory/1760-323-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-309-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-316-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-292-0x0000000000530000-0x000000000070F000-memory.dmp

memory/936-337-0x0000000002C50000-0x0000000002D50000-memory.dmp

memory/1760-299-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1760-287-0x0000000000530000-0x000000000070F000-memory.dmp

memory/1812-349-0x0000000001020000-0x0000000001074000-memory.dmp

memory/1100-348-0x00000000008D0000-0x0000000000908000-memory.dmp

memory/2512-351-0x0000000001270000-0x00000000012F4000-memory.dmp

memory/2220-350-0x0000000000360000-0x0000000000BA2000-memory.dmp

memory/2156-347-0x0000000000C80000-0x0000000000CCA000-memory.dmp

memory/2436-356-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/2436-354-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/2436-352-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/2436-357-0x0000000140000000-0x00000001419FB000-memory.dmp

memory/1276-360-0x0000000000DF0000-0x0000000001489000-memory.dmp

memory/2432-362-0x0000000000400000-0x000000000106F000-memory.dmp

memory/2252-361-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/1360-363-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2432-365-0x0000000000400000-0x000000000106F000-memory.dmp

memory/2984-379-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1960-385-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-390-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2220-399-0x0000000005760000-0x0000000005910000-memory.dmp

memory/1960-389-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-388-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-387-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-386-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-384-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-383-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1960-382-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2984-378-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2984-377-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2984-376-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2984-375-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2220-420-0x0000000000E60000-0x0000000000E82000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 12:16

Reported

2024-09-08 12:23

Platform

win10-20240404-it

Max time kernel

192s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3580 set thread context of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 1032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3396 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3396 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3396 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3396 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3396 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3396 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3396 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3580 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3580 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3580 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3580 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 3580 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
US 185.143.223.148:80 tcp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/4892-78-0x0000000001060000-0x000000000123F000-memory.dmp

memory/4892-79-0x0000000001060000-0x000000000123F000-memory.dmp

memory/4892-81-0x0000000001060000-0x000000000123F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-08 12:16

Reported

2024-09-08 12:23

Platform

win10v2004-20240802-it

Max time kernel

145s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\JobElected C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\LazyGraduation C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\WatchesAble C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\RoughlyOptimize C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\FioricetTrial C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
File opened for modification C:\Windows\SaraBiographies C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2776 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2776 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2776 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2776 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2776 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2776 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2776 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2768 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2768 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2768 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2768 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif
PID 2768 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Processes

C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe

"C:\Users\Admin\AppData\Local\Temp\advanced_systemcare_pro_v17.6.0.322___fix.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Establishment Establishment.bat & Establishment.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 66489

C:\Windows\SysWOW64\findstr.exe

findstr /V "technoourselveshdtvportal" Dance

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Launched + ..\Compatibility + ..\Territory + ..\Tomato + ..\Phones + ..\Camera + ..\Botswana + ..\Traveling + ..\Acc + ..\Fireplace + ..\Legends + ..\Filled + ..\Somalia + ..\Pilot + ..\Reduces + ..\Comprehensive + ..\Collections + ..\Fp + ..\Tubes + ..\Mostly + ..\Rugby + ..\Conferencing + ..\Bring + ..\Cosmetic + ..\Dicke + ..\Vi + ..\Specialist + ..\Singles + ..\Biotechnology + ..\Par + ..\Overall + ..\Connector t

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Updated.pif t

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 geMRGKqVxVpfJTwCaGgFh.geMRGKqVxVpfJTwCaGgFh udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 185.143.223.148:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 92.246.139.82:80 92.246.139.82 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 82.139.246.92.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Establishment

MD5 dc7ec9ba7acf7211cf86c7a7a71fb2d2
SHA1 ab14e9821f6ceaabdcf273be4c0d5403a36b3a7b
SHA256 66aae1264086bb897bcbb00f933baf11f04c9cbcdbaa05aa2dff3d4ac0a023ad
SHA512 81a1d1714539be2780962a789a372841697a991b26ecfea95069e31272a457e4f031461ddf3927afa516dd789a48d1b4052889ffd2701750a472c67932e216d7

C:\Users\Admin\AppData\Local\Temp\Dance

MD5 cd9dfbc740b5397d366e02679ff92565
SHA1 2fa764f5f7b15ae154fd4a6c2098c99179c60304
SHA256 273e95e8c0e59ba41f402177136b67ba5d63f9fd821d612165e27eed7d20a395
SHA512 8168566cacebb2ed7ad5e0673d6711441b27e7119c2be3d4190316663097bbb402b7a32e09d0eb172758f1ef25e0cb16f150f44f6ce33f16d42422b72d1cb636

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 ab9565a243b50562d4011868a9a30f7f
SHA1 7d20e2a105749a25fc3acd087d9f5dcfd011f37a
SHA256 03ead3d9c4bd329bac69265b267005866e03995be714e429fc309e9cb490a7a9
SHA512 a42f98880231f05877a51a6af0c09ac914e541538a6528f1c1ec6b318e0f7a70af26e99155e35e0d803f2ebc7365f8b7b47093ebdfabb23ae31feb4f87a9470a

C:\Users\Admin\AppData\Local\Temp\Launched

MD5 7a33c73bc4774c03688ad1bbf591ede7
SHA1 25223dbd396a6ef27f5e807f11115615d1d2a569
SHA256 844d40bfb0a4a6435cedef900f051d17f442ccfdf606565c973aa1d5291b1b02
SHA512 f8198c107b0aa6dbf332f3daae007fa8f4d3a89596cc1493b18acf79c8703b1b1c5505dbf732e87a9806926f8bdec7f608f0ef010a496effc88d0132339d7101

C:\Users\Admin\AppData\Local\Temp\Compatibility

MD5 1c231324e0ce157ada1881116daad7d6
SHA1 0b641a44cf5d2c36c91a15dc998f5a78cc998940
SHA256 d15599028c4b2c93d6f292b93b7e0409e998578889052bc0db3e2521fc0179ce
SHA512 04e3cd943d2afcd28e106f5c596e0c5a88898d6ef3347a870b70a9f72d09ff999d10db24abf82dcd972e64a779963facba051c9ae8be73e04733e516644b6b10

C:\Users\Admin\AppData\Local\Temp\Territory

MD5 66d7e51392b4aab30a8ec7629b0c54ec
SHA1 86a7bfbb51d25492d6da97a009991f148e44ba36
SHA256 03f685e1db96e6570386fb81f99da2ebf017893749dcb59fd64d01ab92c6e56f
SHA512 ee8ea6bd6079fd8387c332762685bf9681e39cfcb97a115ace9ca49dfe5ac58efd3d9c68e75fb6b413c058ae888affb7a36742943d4fe8aae8d4fb361aec08e0

C:\Users\Admin\AppData\Local\Temp\Tomato

MD5 b7012bc921e6230e26f7e5c06e1ee3d3
SHA1 d5a482d530f8ba1da38ee44b9282cf7feee35a96
SHA256 b8b4e6ef356e6801753b2420a56b254118c6d8576a4ab2e7de613d3731172d88
SHA512 c8c573e54e2c4e995ba7d24983808739e6aa5c7823d4c187d0552104e7a3fa456d297b8ed5a7b08e590c8ed615e74f86f7fca8ad4c36be09ef44c349dadabeaa

C:\Users\Admin\AppData\Local\Temp\Phones

MD5 1e66dcf6dc37b09d1b7f163d416d82cf
SHA1 86cca9c43fa72da98a9a709ac5d77b8f72192646
SHA256 511214ff1dae91d2e4584a101906f5c1b91f0f02d5ba65aeb18afea13cc39e1a
SHA512 511eb8e3d9e08693f28c6a02cfc2ce6831c48d1e6a1f37cb8cc08e28fbe555d75fbddb63a70c4157d6dc204d3b9766a4564596e401687778124cb98f5b7d7e6a

C:\Users\Admin\AppData\Local\Temp\Camera

MD5 ec23fbe29228ee99bb0ae080672a8a12
SHA1 dbcce6778484f609f124ce54a5ce9c8bf50307d8
SHA256 104f762ec63b80ae6fd553d07f67e4ba4b69c5640d623ad53f01084cfa5e16c5
SHA512 1a69b6945e49a44a3173b6a67dfd78c33987a0fd73c6dbf45e7b28f301c3615c73d0dde5be185e27d326b5e4afa0ff73a4eb54ae24608529fca8af695331bdc2

C:\Users\Admin\AppData\Local\Temp\Botswana

MD5 71917aaeec9dcf85339b8649718be76c
SHA1 aee8be39c1cc4497e3e6f60112c79988e16e6159
SHA256 b7896a4ffa3edb24818af0f249b76862768885d577078e40f845d9cae3ea7607
SHA512 a483abbb6f4fc2d76437a128392a1df448b7c4cb41ac88735c2dfa1ce792a0e6d008f5f1b4cfa4d559ed72580b291f019bf9afc10344063fe37a5783bd772207

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 ad9e1249235376891836ca6203909eb8
SHA1 d56a0b08d8a9a68075651a7596daa8ed8dd0bd6c
SHA256 3ee9e8a20913f1d785c31ced9b93953ebf30dd5f7f49384e54991649f3ec0e4b
SHA512 54e74942ec627396f3a4fe8c46276d71e7d43693db9863e7ef85dcb06ae8374d17f3a6c7520c6f7701f9912028d740e0e69a27ab6b86295fe957a2f7c4541f30

C:\Users\Admin\AppData\Local\Temp\Acc

MD5 c7952a6e11a9dfd97b8ddb303a009a01
SHA1 9e9944888170d12d3d65f9aeb55567c8e4b437f4
SHA256 c3b62b836be197269997fe4c5d7f546eea84dea4a922f10c88b69f365e1e9b41
SHA512 b56b6b8185801330651ae73a72252d6081eef938ae2527427a12400ad3eb0bb590af33082d0b6dc98747faacfaf419513103ba557a7fed6489d47e4e50f154c1

C:\Users\Admin\AppData\Local\Temp\Fireplace

MD5 c0c5639a24c188caa295c125556bad40
SHA1 65cf6d3e6264fa364b01e1cd2a85d9f2617e931a
SHA256 a452a83285d5b4b751adbd5e01692b718cdebcdb362fb8fc1e159560de283752
SHA512 bcd9e2f62bac0811c8943be2861f86793ddf13f56edfd3cd31bc1110c618d5b2672835c1bd560b9f073c157230f22a0b8efa32bc9f5ddcb22b3d026d98fa5b49

C:\Users\Admin\AppData\Local\Temp\Legends

MD5 9907cd16718b77a36a0257b747613a4e
SHA1 c003193c10ecbef7820136ea13b14e528ba61bb8
SHA256 da7e533eb924651ad2f0fa4093c6c84562c96853a2d44ea25240aa4b1b032e47
SHA512 d64afdae597bd84388a3c981096a92ac1b1c71586a027142a7aaef1032d68f73b78b46ac9b33b8c7cb4da3702133bb8d4ccb21d1900a7465704d28073b71d414

C:\Users\Admin\AppData\Local\Temp\Filled

MD5 76d6efeaf3ab1281ecb03b05d080bc5f
SHA1 18cda5217705406603355fe1f03d96ef2fd7d1a8
SHA256 83bda8c4d7b5999c3342a34854fee5d87c6aeda34b8b99407ec4b956511aa6d0
SHA512 2a04d997016533e1acad843ceb0e89c78c3cee25b49bf62eb40db4ee7164c6cf6533746ce7348cfd5394f6a54a6b260f89efece15815a42d7c63e59cf821ea55

C:\Users\Admin\AppData\Local\Temp\Somalia

MD5 2fd71907ed9cccd1097cc3d366851bf4
SHA1 e9bac2b5ec9b9d206d2694b6b4ca43a8889d996a
SHA256 6cae2c3e613b64a49e1fae53365a9705bb27192f420784058b2b7668701df66c
SHA512 8793b93757082ad16c065dd5d0f870a99f22a7e9aed663985ad8d72c3502fe5489e117ff23ed12464eb5d576acf74d85b43b77dfb4e4d7e4a724e90d1aa6c27f

C:\Users\Admin\AppData\Local\Temp\Pilot

MD5 b0157a19cdcef0c5522fc537860683d8
SHA1 10ea0dcc20bda6274663067643be96ab9f2e772e
SHA256 25c684744726c1a5dde48c6df11f54f461becae85af2631795d23922aca7781c
SHA512 549a6bc71e7374177be333b93553508c7d2161f16d8ebbf0fb20321a7e6eadfa80f851f4332b63f0da8aa266a2574aab319fc2bd4a62b16162c4645f466698df

C:\Users\Admin\AppData\Local\Temp\Reduces

MD5 398709b004fbd8b968c8e42491f19972
SHA1 6dd61cec0af68313aabf1556a1b56a13523ee4dd
SHA256 0e628b36d91d5d0eaa9e3519737f8994bd8e09f46b23654a46625464125bb3dc
SHA512 8551aafbb3b2714c228bc8143c9ad7d6d414fa0ee2c3d621b75fabd8338750c6e3baf297de7d1065587caed894ef29920f7344bc84bb1ad0c749d93d58ec8c1f

C:\Users\Admin\AppData\Local\Temp\Collections

MD5 88cb9cd3aead0f8218324e872ac696a7
SHA1 d473368714ad0ff805880effe98f5252df339667
SHA256 7d9c8e00b19d536f28f168fb8e7ac07ff09d5d571dff92f57f46af1abc2bf47b
SHA512 c1ae2cee16d3291804b62b49cac3f03375401d2c82ddc910ba74014066dd3563d284e3b88de96832a3f84f4f426c465fa09315fb01c492aef3dc43c9300f4d3c

C:\Users\Admin\AppData\Local\Temp\Comprehensive

MD5 ce0900db1193e8b52b5d729b0cd489d6
SHA1 4982afee4e95fcfebbe54a158c373237ebfe7afd
SHA256 75f3be5aef10128f8fe62f50ca8c465e1ea4c487bbaa1534999349edec6f30f0
SHA512 fc767826503dfd525922c462d5cc168c7d1740701f702e517e3e8a8dbc3855d59bf2ff185d803b286c5e5f6552630f44d8b2f1495a9f6da8173c27d0b0768ea2

C:\Users\Admin\AppData\Local\Temp\Fp

MD5 8ef48220ebf2461b331438a9cb7fa73f
SHA1 ea9b2ef3b00b7a74879312db9038eec3cbfc2579
SHA256 269ff7c969498267c2da598b2fcbf6266f53d8ef90a735e53755bda7e637b616
SHA512 93d337ff745ed2e96147156ada92c02cc71b296e6bc50a44310467b20bff0e3f9c05260b403c868028b64cf9672f245a68a18526b8a4cb04d22a75b67e885164

C:\Users\Admin\AppData\Local\Temp\Tubes

MD5 4d0ba739a5c196fb0ed1191cdefcbdc4
SHA1 687d67a7281a8457b2b2de66da96dc8ed9c55856
SHA256 5a7b5d24e7968cc1e4e139a6275f8607d3e50c4d25141db27908913b84ace9da
SHA512 a35d89f122319002d197efcb683c86994617265b8c47611881dffb479c28dc0e92a933783f5b49892e44d242fafd3cb4169d73bdb2c4eeaa471ff81a4a022cd7

C:\Users\Admin\AppData\Local\Temp\Mostly

MD5 a7667d94a751d656392f447fbeaaaadf
SHA1 b68c0554f5755948c4af3d1c70524b1200b87a6a
SHA256 2e487bc97787176cb552469ef32fe2b88c9c2c71b3dd5509b019aea0d5153f99
SHA512 21c4869c366f765f4aae3fb0386d8cb8bfccad87abebfb33e9414333a925dcd10557ee380282ae215ff7cc0c25beebac4632c8fd059100e83cc2a6e685d25dca

C:\Users\Admin\AppData\Local\Temp\Rugby

MD5 98f0481c9e01bec9b7a230eb9820cb35
SHA1 ce984859ad1347d59b72484a400569c36226e74c
SHA256 9499faadcbd1272e949c61c1babe16cba127e80929454d6600bf681d88d2e1c6
SHA512 22841f977c9fc81d38a6d121fc00295730a11094fc6c826118e73ce4667bce9561a0d3c0e7b3f748b5fb489194e01ed1812e274a139cdf7f1c5fc25912f09d53

C:\Users\Admin\AppData\Local\Temp\Conferencing

MD5 f0d8b79a6f05368e1a593b80730f6781
SHA1 72ce2a143c08bdcce1a23053322281cd1ab1fc11
SHA256 bc0e68cffeaafc3f673664b7882e3ca266ae8d01cbe959c84cd993957064d35c
SHA512 33dd94439fbea36432dd2adc36efb06ffc569b98ca26126c915d81d5e02bc62b48bcbb4a8a1a7aae45e5710213e00827fa14b23ed625dde81ccd29b72ba79f88

C:\Users\Admin\AppData\Local\Temp\Bring

MD5 39149e0eb98161df0310b7db6e872e9f
SHA1 0fc522daf417a7d32e57571383a4880ecf5edcf9
SHA256 d2c62d43b591a415db0fec310cafd135f903d3323d286ba92b411df92785afbe
SHA512 ce507b008a5f57191bfad29572d789a39a306f0a1e234dcd2236203f7e30c7e96b9a224e16aa6cde9766972ae7bf6fdcd8e2ec9da28b419b5b6c8d1811c84954

C:\Users\Admin\AppData\Local\Temp\Cosmetic

MD5 a6a23f4d7b74bc28722fb6ccf716909a
SHA1 6c9c28a2bad313a814dca80b0dbd93cde18c056b
SHA256 623a9fddb3b411dad8a8eb52fb699ffe23efa4c85a4536191ade7d688ab53c07
SHA512 d901af1c42e536e11efebc619c136c1aa9564163c78219652b6e19b1a2403828dd88403ac98d0bde20ea66d1cd883ed7f36e5ce3c35a0cbb26c9f510754630df

C:\Users\Admin\AppData\Local\Temp\Dicke

MD5 5e7074c2487bcfe3a060f39e2a0c713a
SHA1 eb675f9e7a0de5c462ca9c69c30a5b15935cea28
SHA256 58e8e8aad2591e0fc23e7a232400dccbe06b460042f7019582a5d3678c3b7e90
SHA512 7ee0fd6965fee7a2565f0a6792dd3895690825567588369cd53dbcc172751576f442f43d671c3f6716e693b4ae94e90a9e4f0a02f6fd00f98a5847bd9c6ae908

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 ae7839d400ef6b8325f362f8de33e73f
SHA1 2d8c7a0835fc8a7b4c68198e4d35e899e594c1a6
SHA256 0221549444be1bbd476980f82f1e5fc5d009824c197aaf6617728165a83a081b
SHA512 21e8c934fca496a626ddd53c4bbf58499f1ceecb736036dc2e37a7f95823e131373925e2b3f6a46196937449705106c821b5470c3bc9be5231385664e7adb3f8

C:\Users\Admin\AppData\Local\Temp\Specialist

MD5 9018c0ae417ac88643b55163384abfc2
SHA1 ac93c2712e9b35f95493d1a2be1c34b1dc1216db
SHA256 9bed4da0722b78cb809bf9d63665d73748effe820aeda3c6944d8e21863ae59f
SHA512 c84f9c948b31e5466292992b77c83700fe6eae33ed6d9fc95bad3fb928cf50d361b667aba72d2d9d8dcb21188fd3480acde0bbda3d5623510417a2aa0bbbdfe5

C:\Users\Admin\AppData\Local\Temp\Singles

MD5 3d8a23f7ee2e47052bca9b844fe1a365
SHA1 b7cdc88cbc69d396945cd35ce17c365544c5ae5b
SHA256 cfc5f549170ce4b10d0d25b13c23983f09778be62fabfbf0ae16d7cf3839cd1e
SHA512 f371ea22792cd79ff22a8e500220f65d74c9b88dc4b9f01c17e1bf64d1f2893bc4dbb73a33f6473b51dda001f4a8e51feafddeabe6510fff9d46b80d4846db6c

C:\Users\Admin\AppData\Local\Temp\Biotechnology

MD5 2f2770ebccf572bb95a7353adff3484c
SHA1 818d0b9a8dc88ef2fafd7724ab46c0b304d98ff8
SHA256 ad749ae1c75c1bfffee0e56a8426bfb473d78febe8b559cf875bbbfa04f25fa4
SHA512 14119af0016d6948ebf653edc4361f566832050bc47dbb726adeb5eb2509ff96b3a1199acf3a6ecc051322ac2feaa80f1c14300ab146f9f15be429ac7556f9fd

C:\Users\Admin\AppData\Local\Temp\Par

MD5 2544db428b5032c422f879b02a5ffa08
SHA1 9b2da5554888ffbb47e1fb6913fa0ccba06bfba1
SHA256 43a1720d95ac06c4b599b2f324dc8a9de2a8239ff25a34ceb616c065f3a403f0
SHA512 1d8c42177af06a5e161219c9b659c78b52626a2fc5b1bcaec44c38576e9ffdb8192b9b9066487ea8a2b6ff61345d5ae37d30b63254cbf5d66150ae1f4088fe6a

C:\Users\Admin\AppData\Local\Temp\Overall

MD5 cfbeec616eca350d3523c89fe4984c84
SHA1 1402b33166a194c7c85f734c1318b57bd01b87e8
SHA256 8b19064703a022c4bf3db1e7b9cbda855d30d5da3a613c9c4c675c5bb8b3d700
SHA512 dca937df48fc742f26281393bf060231a071921934cc56011d7982b3e7d2fd490bdb17bff4c063a5a069f4fd6ceffa5eae4de0a792a58b5a277e6dc86997edf7

C:\Users\Admin\AppData\Local\Temp\Connector

MD5 d18ca7cae1f889722a25ef235d5eaba0
SHA1 c71c4ff2633ccaa4736bc6580e7906346186399a
SHA256 3c76c18eb38f0c124a7a1ece126538508f8df7d7b1bb83c5bccb12ed66b654ce
SHA512 f9c9b349a04be6f470fcad0fb6d5b5f925b6c89e2b68505437bca6ea48362c3a1db97ec69479739302d6b0ce64650a041090358d2af063f0128b365cf12be694

C:\Users\Admin\AppData\Local\Temp\66489\Updated.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\66489\t

MD5 8c0494568819e09b440ffafeb0887a2d
SHA1 1c334b5dedf5a617614bb725b28ce4b68d746cec
SHA256 73325224492ab0f85af2c57c2d47092f1de5882e243f0e7c1066fc5cd946e3a1
SHA512 4d52ad8774418b15b0377cffa2573013eeb7404a2626a2eb17d18d336ff2ea084901bf85ea8c3aed656a1f3a995ec89e585cdc5b8a633372cb2a46615941a367

memory/1836-78-0x0000000000A00000-0x0000000000BDF000-memory.dmp

memory/1836-79-0x0000000000A00000-0x0000000000BDF000-memory.dmp

memory/1836-81-0x0000000000A00000-0x0000000000BDF000-memory.dmp