Malware Analysis Report

2025-08-06 02:40

Sample ID 241103-jxq1zszbnl
Target bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN
SHA256 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c
Tags
discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c

Threat Level: Likely malicious

The file bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN was found to be: Likely malicious.

Malicious Activity Summary

discovery execution

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Deletes itself

Drops startup file

Loads dropped DLL

Checks computer location settings

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 08:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 08:03

Reported

2024-11-03 08:05

Platform

win10v2004-20241007-en

Max time kernel

104s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 2480 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 2480 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 2480 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe

"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/2480-0-0x000000007474E000-0x000000007474F000-memory.dmp

memory/2480-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp

memory/2480-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/2480-3-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/3804-6-0x0000000005190000-0x00000000051C6000-memory.dmp

memory/3804-10-0x00000000058B0000-0x0000000005ED8000-memory.dmp

memory/3804-9-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/3804-12-0x0000000074740000-0x0000000074EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

MD5 d30c0f766318fae8aebf63ea2c781351
SHA1 e93d198f9ea29a7a83ae42736c2b2b3b4a939987
SHA256 50d88e12e7dec5d3d688916f20c8815f93cc238a2103c07b55670202972b58b7
SHA512 f4f3d2343a04d17185703add668150b9956b5ea455eb1887f1334926e7891fbb1cfe642d776d1259ebc14dc29c9479b98e1d1f38620e2d0727af4a356d27d3b5

memory/3804-20-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/3804-25-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/3804-26-0x00000000060F0000-0x0000000006156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcknxofd.zmm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/716-37-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/3804-38-0x00000000062D0000-0x0000000006624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp.cmd

MD5 2b4b589e7e4c636c67e5df7041f90cc2
SHA1 4312a8e3fb59e904a887d7844f5cf91633535618
SHA256 cbcff3132cb480a630614fa5df31a1686b45f8a516b0d7dadb3ed52495dfc985
SHA512 65c1572d3bdd37192191be82f3fba352f04e376e4f136bd0bf9ecf3dad95f986152ca89d80c40f157612f9208b8bcec5a22c58ff4692016a6a02e1b0df4dbca8

memory/3804-40-0x0000000006750000-0x000000000676E000-memory.dmp

memory/3804-41-0x0000000006790000-0x00000000067DC000-memory.dmp

memory/716-42-0x00000000064B0000-0x00000000064BA000-memory.dmp

memory/3804-43-0x0000000006D20000-0x0000000006D52000-memory.dmp

memory/3804-44-0x0000000072030000-0x000000007207C000-memory.dmp

memory/3804-54-0x0000000007720000-0x000000000773E000-memory.dmp

memory/3804-55-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/3804-56-0x00000000080C0000-0x000000000873A000-memory.dmp

memory/3804-57-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/3804-58-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

memory/3804-59-0x0000000007D00000-0x0000000007D96000-memory.dmp

memory/3804-60-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/3804-61-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

memory/3804-62-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

memory/3804-63-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/3804-64-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/3804-67-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/716-68-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 08:03

Reported

2024-11-03 08:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1172 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1172 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1172 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1172 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe

"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

N/A

Files

memory/1172-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1172-1-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

MD5 c485280211a901d16a69cc710b5eccb9
SHA1 e4681be1835ede1c0a5a21f4dbc730cc1f16db2b
SHA256 34710e86eef4ad9742ca7f6cfc5a000991be3c573bfa1a00074c012bf2e9f301
SHA512 de936feb2d14b97bf3061dc9ec4f0966af87bef10b2181df4460320331400a22b666c1230dfbe364e4a06994bae4a33c3e198b0bae58a34757fa5aae7b256d56

memory/2120-10-0x0000000000B10000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd

MD5 355450f64b69493338cfc79cad554162
SHA1 197c627abcbadcd20133b437add62ffd88da47a4
SHA256 6ddfe8b43fea8bcbfdd513ea6a8d55fefbcbd970099f8d0961fe86fc53a82ee9
SHA512 78914ea39527f417a6f37394d9986e49179394c30b00055e3c5b2ee744f8cd20a9a47a69682ffecb3a7c5c147282da1edbcc8dd4374e8114b40c7341a0ce6283