Analysis Overview
SHA256
2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4
Threat Level: Likely malicious
The file 2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4 was found to be: Likely malicious.
Malicious Activity Summary
Checks for common network interception software
Loads dropped DLL
Executes dropped EXE
Maps connected drives based on registry
Checks installed software on the system
Enumerates processes with tasklist
Unsigned PE
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:32
Reported
2024-11-09 20:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Checks for common network interception software
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\gentlemjmp_ieu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FGP2S.tmp\gentlemjmp_ieu.tmp | N/A |
Loads dropped DLL
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
"C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe"
C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp" /SL5="$4010A,4921512,56832,C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq Process Monitor*"
C:\Windows\SysWOW64\find.exe
find "PID"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\cmd.bat""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5900 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5901 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5902 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5903 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5904 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\gentlemjmp_ieu.exe
"C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
C:\Users\Admin\AppData\Local\Temp\is-FGP2S.tmp\gentlemjmp_ieu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FGP2S.tmp\gentlemjmp_ieu.tmp" /SL5="$1F0162,16700303,56832,C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-I5U3L.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.filoutoutout.com | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
Files
memory/2240-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/2240-0-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-94H01.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp
| MD5 | 1305181de520f125aeabf85dc24a89d6 |
| SHA1 | 98b7548fede3f1468ccbdee405abdc4e5d2ec671 |
| SHA256 | 0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf |
| SHA512 | b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793 |
memory/2532-8-0x0000000000400000-0x00000000004BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\ex.bat
| MD5 | 00e3ea0eb633bb6dc72dece381ee5710 |
| SHA1 | 5383f8efe4514ac0ee487922012e9a3309e702b0 |
| SHA256 | e86b43f63f47f9373a23aa54adb58ad24c4a3fc6d7b6f2e6fa7b019cd87b1766 |
| SHA512 | 62add2b9026668608be32ccfc48829a62ad327087524d0925ba560d13b57b3d277e8961af026ca45e5a154a3c816277fa7ae38f2d4d0ee5364ecc2b586d2591c |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\av.txt
| MD5 | f8f8258012893e0a2c957d226bdd7587 |
| SHA1 | ed482b5f912ef2d31e2b231df6b6e3b64967390c |
| SHA256 | c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2 |
| SHA512 | 6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | dae8768bbb8a4fddc4dca8eae7c4d65f |
| SHA1 | 385ffb932fcff489392536d62e291ed9e0beea98 |
| SHA256 | ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf |
| SHA512 | 492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 6a745081c62a706c014a876f45b5a56b |
| SHA1 | 25f17fcc50dd202d2381c00970e2dc04c2ad9707 |
| SHA256 | e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c |
| SHA512 | a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | f0315949ccc3d22d958503f5735cfbcc |
| SHA1 | 883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0 |
| SHA256 | 201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d |
| SHA512 | aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 110d64c0e450ff59542f81690a2d53b7 |
| SHA1 | 7f2e989deb095a0530792989e5fa9d7279d5f3e7 |
| SHA256 | 735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e |
| SHA512 | 00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 8fec1ab28e8ee7394915990458fb85dc |
| SHA1 | c70e183a783a9621cd64584de99f8163deb40872 |
| SHA256 | b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd |
| SHA512 | c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 97cc4c6dda23b9631b8c9185859ad061 |
| SHA1 | 5f912a6c094bd918afe5e9f0c70cd45b36dff722 |
| SHA256 | 55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8 |
| SHA512 | cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | b921f2f9f97a642d513e1307f7685e0f |
| SHA1 | 3489b63a484a6114f1828100908bbbc622b07ed1 |
| SHA256 | 953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc |
| SHA512 | 1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | b35e8ab65e7f8a4edb3663885f775681 |
| SHA1 | 49b66b2e3cff64dd7d8315c53d852c19a46e8609 |
| SHA256 | 9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53 |
| SHA512 | 3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | f1b6aae3dcd94b94aee326517e3dc583 |
| SHA1 | 3418fdda1ad30df64d7bac068e1a0c4e305cfd75 |
| SHA256 | a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b |
| SHA512 | dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | d93cc818d32f755945cddfc02b29fb89 |
| SHA1 | fc564e791326d269d005c894cfca674352dae814 |
| SHA256 | c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c |
| SHA512 | 62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 660d266764b1952b43431d6c7dc0dfa9 |
| SHA1 | 809794738d6ca580d6ec14e77a717e831b0d0e5c |
| SHA256 | e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5 |
| SHA512 | 6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 59a8010aab7eb203cd9fda8f6be1beca |
| SHA1 | b9a07636b921183c88880320294e279c935cddd7 |
| SHA256 | 2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba |
| SHA512 | 26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | a59dd0f9883ea39c5119831b0eed46cc |
| SHA1 | 8c9354051f7d92310636f0f17e5770aede9d1ad3 |
| SHA256 | ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493 |
| SHA512 | 4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 32b997a9d994996a4369a580e6541b7d |
| SHA1 | d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1 |
| SHA256 | 39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8 |
| SHA512 | f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | f0b99c1273d3787f7769feb4d56e6803 |
| SHA1 | 6105232df9585072be8ca04712f8760812943cbf |
| SHA256 | 176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d |
| SHA512 | 73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 755c6764b8ecbb83798450705f51510f |
| SHA1 | deb141c4fc3220f0ff5c16eabf1adf850bf55610 |
| SHA256 | cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016 |
| SHA512 | a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\cmd.bat
| MD5 | d7e1bab903d1a818ceb72503ef1ab91d |
| SHA1 | c761d1c32b110e487c021a27d43af118b2be233d |
| SHA256 | 77686b8991adcd44f3d2a3c418a037c7ed4b5d5bd02edff31bdadce872e50546 |
| SHA512 | 8beab5012ff5dce2a87db52fe38c7737554ad8c6ab9753052e85b29769e276113a8f1aba824d4e788bd41aef1fb6c8dcca842652389f0da2497daebeb22d119d |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\favicon.ico
| MD5 | f0b81e3ecd1b5d144558da07bece8803 |
| SHA1 | 9ee5bf12a207859d89dc893b8d02bd5c739edb52 |
| SHA256 | dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1 |
| SHA512 | 774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | e902b4bcf5b531d057d091d00be3daee |
| SHA1 | 0cd058fcfab51dbfe91b139dc52245d5a4326f55 |
| SHA256 | 9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3 |
| SHA512 | 5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11 |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | c842d438cebab4b876572a8bc032aabe |
| SHA1 | e95c7d4e2f6246daba6f0baec8e1b94c91384c4d |
| SHA256 | ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218 |
| SHA512 | aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 410515fbd7d2a2b4fab0fb80c76c2a74 |
| SHA1 | f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893 |
| SHA256 | 6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99 |
| SHA512 | f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa |
C:\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\CheckProc.cmd
| MD5 | 0cbb771b9f9523adb96d5bae77154a05 |
| SHA1 | 528330a335047039ab012b01bb7a3f585e6f5a8d |
| SHA256 | 4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e |
| SHA512 | 41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1 |
\Users\Admin\AppData\Local\Temp\is-USJLG.tmp\gentlemjmp_ieu.exe
| MD5 | 489c666723edb2ae961d2bb173bfc3e5 |
| SHA1 | a277eeac6b518ec65a29a4cec3ea56f80d1bcb94 |
| SHA256 | 967870a0d0c415c7907a2c150d9b1058e3b17affbc59141a5f56726c5eb5854a |
| SHA512 | 6d1f9dbd6f5a3062d93ee26d1f7488a81bef13f202cdee06dfd13777085e5162a01b0fea042225d4b391393a54fd87f37d3fd4fd89c4f5b84bfb00a3bb883590 |
memory/2436-70-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-I5U3L.tmp\isskin.dll
| MD5 | 92c2e247392e0e02261dea67e1bb1a5e |
| SHA1 | db72fed8771364bf8039b2bc83ed01dda2908554 |
| SHA256 | 25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68 |
| SHA512 | e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5 |
\Users\Admin\AppData\Local\Temp\is-I5U3L.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2028-89-0x00000000005D0000-0x000000000060C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-I5U3L.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
memory/2028-93-0x0000000000610000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-I5U3L.tmp\ex.bat
| MD5 | f252949098a00263f34423a8083426a9 |
| SHA1 | 83e2ef6b2c0eafae2da28a7d588691815e5dc912 |
| SHA256 | 3ba9fc7f597a396272d3713b56a977f59b8bdb6d54e0bd64fa49985c521687bd |
| SHA512 | f140e67c4b57d13dde204b18c5869c825d854773795eb45aa6a3edd30c8d9ad3e994ef85d133197c837ac3c610f8c6e0667c071dd3ffebb9d05452661ddffcc2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0b0dcdd0dc648cb615ef1887feaebab8 |
| SHA1 | c34800bac4d785ede94516f72bf782bdb3b4a184 |
| SHA256 | 56318851c5dcb74a6b25133c246d85f9616ca55ae5fb80fde9f7126d43e7646a |
| SHA512 | ab3e192689424769184a2a65f7bfb6ae8bbee77282d5943ddf6d2f0bf8fc0035dbee46ad184039e545a6b847b91fe354c6fd2fc9140c0a8f3be8c5a9d934198e |
memory/2028-104-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2436-108-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2028-106-0x0000000000610000-0x0000000000625000-memory.dmp
memory/2028-105-0x00000000005D0000-0x000000000060C000-memory.dmp
memory/2532-110-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2240-112-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:32
Reported
2024-11-09 20:34
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks for common network interception software
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\gentlemjmp_ieu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp | N/A |
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
"C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe"
C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp" /SL5="$E004A,4921512,56832,C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq Process Monitor*"
C:\Windows\SysWOW64\find.exe
find "PID"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\cmd.bat""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5900 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5901 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5902 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5903 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -na
C:\Windows\SysWOW64\findstr.exe
findstr /C:":5904 "
C:\Windows\SysWOW64\findstr.exe
findstr /C:"ESTABLISHED"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\gentlemjmp_ieu.exe
"C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TSO64.tmp\gentlemjmp_ieu.tmp" /SL5="$230200,16700303,56832,C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\ex.bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
| US | 8.8.8.8:53 | ads.cloud4ads.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2956-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/2956-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KC9PU.tmp\2438276344dfbcca32f7a353e91e06a01d8f51667c94db3b20414facc0b1cbb4.tmp
| MD5 | 1305181de520f125aeabf85dc24a89d6 |
| SHA1 | 98b7548fede3f1468ccbdee405abdc4e5d2ec671 |
| SHA256 | 0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf |
| SHA512 | b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793 |
memory/2720-7-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\ex.bat
| MD5 | 9a4ef695ba5323e643b3e95dfb451b64 |
| SHA1 | adec59057e1bbd2989953d77b72a6817ce526a98 |
| SHA256 | 14ec0159dcf81edb1fe9b2afa9998167d789b371e75384076fabd993e16ba7b3 |
| SHA512 | 948ed22e953c3d4d89c92b4e1c72278685e0551a3775ecda2b85634f279fe8359db3a8d281860442bf593c8c13c1d9ef03835db45fd8ad91cef24f66c472fa9f |
memory/4716-14-0x000000007374E000-0x000000007374F000-memory.dmp
memory/4716-15-0x0000000004960000-0x0000000004996000-memory.dmp
memory/4716-17-0x0000000005120000-0x0000000005748000-memory.dmp
memory/4716-16-0x0000000073740000-0x0000000073EF0000-memory.dmp
memory/4716-18-0x0000000073740000-0x0000000073EF0000-memory.dmp
memory/4716-19-0x0000000005780000-0x00000000057A2000-memory.dmp
memory/4716-20-0x0000000005820000-0x0000000005886000-memory.dmp
memory/4716-21-0x0000000005890000-0x00000000058F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0yp5bit.ydf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4716-27-0x0000000005900000-0x0000000005C54000-memory.dmp
memory/4716-32-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
memory/4716-33-0x0000000005F10000-0x0000000005F5C000-memory.dmp
memory/4716-34-0x00000000070C0000-0x0000000007156000-memory.dmp
memory/4716-35-0x0000000006400000-0x000000000641A000-memory.dmp
memory/4716-36-0x0000000006460000-0x0000000006482000-memory.dmp
memory/4716-37-0x0000000007750000-0x0000000007CF4000-memory.dmp
memory/4716-38-0x0000000008380000-0x00000000089FA000-memory.dmp
memory/4716-41-0x0000000073740000-0x0000000073EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\av.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | dae8768bbb8a4fddc4dca8eae7c4d65f |
| SHA1 | 385ffb932fcff489392536d62e291ed9e0beea98 |
| SHA256 | ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf |
| SHA512 | 492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 6a745081c62a706c014a876f45b5a56b |
| SHA1 | 25f17fcc50dd202d2381c00970e2dc04c2ad9707 |
| SHA256 | e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c |
| SHA512 | a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | f0315949ccc3d22d958503f5735cfbcc |
| SHA1 | 883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0 |
| SHA256 | 201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d |
| SHA512 | aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 110d64c0e450ff59542f81690a2d53b7 |
| SHA1 | 7f2e989deb095a0530792989e5fa9d7279d5f3e7 |
| SHA256 | 735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e |
| SHA512 | 00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 8fec1ab28e8ee7394915990458fb85dc |
| SHA1 | c70e183a783a9621cd64584de99f8163deb40872 |
| SHA256 | b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd |
| SHA512 | c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 97cc4c6dda23b9631b8c9185859ad061 |
| SHA1 | 5f912a6c094bd918afe5e9f0c70cd45b36dff722 |
| SHA256 | 55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8 |
| SHA512 | cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | b921f2f9f97a642d513e1307f7685e0f |
| SHA1 | 3489b63a484a6114f1828100908bbbc622b07ed1 |
| SHA256 | 953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc |
| SHA512 | 1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | b35e8ab65e7f8a4edb3663885f775681 |
| SHA1 | 49b66b2e3cff64dd7d8315c53d852c19a46e8609 |
| SHA256 | 9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53 |
| SHA512 | 3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | f1b6aae3dcd94b94aee326517e3dc583 |
| SHA1 | 3418fdda1ad30df64d7bac068e1a0c4e305cfd75 |
| SHA256 | a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b |
| SHA512 | dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | d93cc818d32f755945cddfc02b29fb89 |
| SHA1 | fc564e791326d269d005c894cfca674352dae814 |
| SHA256 | c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c |
| SHA512 | 62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 660d266764b1952b43431d6c7dc0dfa9 |
| SHA1 | 809794738d6ca580d6ec14e77a717e831b0d0e5c |
| SHA256 | e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5 |
| SHA512 | 6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 59a8010aab7eb203cd9fda8f6be1beca |
| SHA1 | b9a07636b921183c88880320294e279c935cddd7 |
| SHA256 | 2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba |
| SHA512 | 26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | a59dd0f9883ea39c5119831b0eed46cc |
| SHA1 | 8c9354051f7d92310636f0f17e5770aede9d1ad3 |
| SHA256 | ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493 |
| SHA512 | 4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 32b997a9d994996a4369a580e6541b7d |
| SHA1 | d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1 |
| SHA256 | 39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8 |
| SHA512 | f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | f0b99c1273d3787f7769feb4d56e6803 |
| SHA1 | 6105232df9585072be8ca04712f8760812943cbf |
| SHA256 | 176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d |
| SHA512 | 73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133 |
memory/2720-75-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 755c6764b8ecbb83798450705f51510f |
| SHA1 | deb141c4fc3220f0ff5c16eabf1adf850bf55610 |
| SHA256 | cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016 |
| SHA512 | a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\cmd.bat
| MD5 | 652c124301d7d055a338cfbdfea970ca |
| SHA1 | 7b51d97f45970ff1364f5871a5d5d293b47668c4 |
| SHA256 | f10ecb296402346a80278ac70d56b41c576c6c84d9185ebaf5ca0b12805218c0 |
| SHA512 | 11b79b20ac78ed9255f928878dd744abba4197970d13ef7874185b422a487df208513b2bcdea21719edfbdf36dead388093668fad6b29a875efd48b71256de6a |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\favicon.ico
| MD5 | f0b81e3ecd1b5d144558da07bece8803 |
| SHA1 | 9ee5bf12a207859d89dc893b8d02bd5c739edb52 |
| SHA256 | dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1 |
| SHA512 | 774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | e902b4bcf5b531d057d091d00be3daee |
| SHA1 | 0cd058fcfab51dbfe91b139dc52245d5a4326f55 |
| SHA256 | 9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3 |
| SHA512 | 5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | c842d438cebab4b876572a8bc032aabe |
| SHA1 | e95c7d4e2f6246daba6f0baec8e1b94c91384c4d |
| SHA256 | ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218 |
| SHA512 | aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 410515fbd7d2a2b4fab0fb80c76c2a74 |
| SHA1 | f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893 |
| SHA256 | 6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99 |
| SHA512 | f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\CheckProc.cmd
| MD5 | 0cbb771b9f9523adb96d5bae77154a05 |
| SHA1 | 528330a335047039ab012b01bb7a3f585e6f5a8d |
| SHA256 | 4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e |
| SHA512 | 41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1 |
C:\Users\Admin\AppData\Local\Temp\is-G560T.tmp\gentlemjmp_ieu.exe
| MD5 | 489c666723edb2ae961d2bb173bfc3e5 |
| SHA1 | a277eeac6b518ec65a29a4cec3ea56f80d1bcb94 |
| SHA256 | 967870a0d0c415c7907a2c150d9b1058e3b17affbc59141a5f56726c5eb5854a |
| SHA512 | 6d1f9dbd6f5a3062d93ee26d1f7488a81bef13f202cdee06dfd13777085e5162a01b0fea042225d4b391393a54fd87f37d3fd4fd89c4f5b84bfb00a3bb883590 |
memory/772-93-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2956-96-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\isskin.dll
| MD5 | 92c2e247392e0e02261dea67e1bb1a5e |
| SHA1 | db72fed8771364bf8039b2bc83ed01dda2908554 |
| SHA256 | 25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68 |
| SHA512 | e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5 |
C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/3128-112-0x0000000003210000-0x000000000324C000-memory.dmp
memory/3128-119-0x0000000003290000-0x00000000032A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\innocallback.dll
| MD5 | 1c55ae5ef9980e3b1028447da6105c75 |
| SHA1 | f85218e10e6aa23b2f5a3ed512895b437e41b45c |
| SHA256 | 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f |
| SHA512 | 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b |
C:\Users\Admin\AppData\Local\Temp\is-VQ9EN.tmp\ex.bat
| MD5 | 5c6d7c0070480c81878b69e6b88f6e68 |
| SHA1 | 7371fb6e19b3d1046d19042dd5d79e39b4be1cfa |
| SHA256 | e9838d67ab3cc39bc7d24d9f77c8ccd5794603a61a0ac24ebc9da731911433cd |
| SHA512 | a0f5f40fcf2aaad3869236b381c8ff423ec67ac73fd9958ced59839bd7ce5b0cc89d7c5e79a9264567f41777b1d9f81bbce53d6c6a7163ca2be35aae03565ad1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
memory/2720-125-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/3916-135-0x00000000062E0000-0x0000000006634000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cf5bd01c6837ff0e6430fdad6448943a |
| SHA1 | b2b6f981b3a4c667a2edd6f5d0421f4ea48a81cb |
| SHA256 | 85fa42bbad8005986094a626db0fc8ed03c32359718efc65b42d7b0c2111d209 |
| SHA512 | 23d9395b8646be2d9d06336df7fbea144e46ecab30f0ea8a153383b946b6e61e40e64565adc2314699b54f8b50d3de24b0a0f41ef045a0f5f4478233efddef1b |
memory/3916-137-0x0000000006C30000-0x0000000006C7C000-memory.dmp
memory/3128-143-0x0000000003290000-0x00000000032A5000-memory.dmp
memory/3128-141-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/3128-142-0x0000000003210000-0x000000000324C000-memory.dmp
memory/772-144-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2720-146-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2956-147-0x0000000000400000-0x0000000000414000-memory.dmp