Analysis Overview
SHA256
10cae0676fcf60dbbb56266448fff13a2ed236753243fea28d41f3902863e053
Threat Level: Known bad
The file 10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Orcus main payload
AsyncRat
UAC bypass
Orcus
Remcos
Orcurs Rat Executable
Async RAT payload
XMRig Miner payload
Drops file in Drivers directory
Creates new service(s)
Adds policy Run key to start application
Stops running service(s)
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
UPX packed file
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
System policy modification
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Creates scheduled task(s)
Modifies registry key
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 16:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 16:31
Reported
2023-12-31 16:33
Platform
win7-20231129-en
Max time kernel
0s
Max time network
144s
Command Line
Signatures
AsyncRat
Orcus
Remcos
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1108 wrote to memory of 3008 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\Scan.exe |
| PID 1108 wrote to memory of 3008 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\Scan.exe |
| PID 1108 wrote to memory of 3008 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\Scan.exe |
| PID 1108 wrote to memory of 3008 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\Scan.exe |
| PID 1108 wrote to memory of 1992 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe |
| PID 1108 wrote to memory of 1992 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe |
| PID 1108 wrote to memory of 1992 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe |
| PID 1108 wrote to memory of 1992 | N/A | C:\Windows\system32\sc.exe | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe
"C:\Users\Admin\AppData\Local\Temp\10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe" /watchProcess "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 1144 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe" /launchSelfAndExit "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 1144 /protectFile
C:\Program Files (x86)\ChromeUpdater\Updt.exe
"C:\Program Files (x86)\ChromeUpdater\Updt.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {196D0330-7B27-41C1-9B13-3FD4DFEED237} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WinUpdater" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"'
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1258.tmp.bat""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdater" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"' & exit
C:\Program Files (x86)\ChromeUpdater\Updt.exe
"C:\Program Files (x86)\ChromeUpdater\Updt.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\ProgramData\Google\GoogleData.exe
C:\ProgramData\Google\GoogleData.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Google\GoogleData.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
"C:\Users\Admin\AppData\Local\Temp\Scandlls.exe"
C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe
"C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe"
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
"C:\Users\Admin\AppData\Local\Temp\Scandlls.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
"C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe"
C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe
"C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe"
C:\Users\Admin\AppData\Local\Temp\Scan.exe
"C:\Users\Admin\AppData\Local\Temp\Scan.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| CA | 15.235.3.1:443 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| CA | 15.235.3.1:2000 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CA | 15.235.3.1:2001 | tcp | |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
Files
memory/1992-112-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2632-120-0x00000000002B0000-0x000000000039C000-memory.dmp
memory/2716-161-0x000007FEF4070000-0x000007FEF44DE000-memory.dmp
memory/2632-160-0x0000000001E10000-0x0000000001E6C000-memory.dmp
memory/2632-158-0x00000000009F0000-0x00000000009FE000-memory.dmp
memory/2632-157-0x0000000004910000-0x0000000004950000-memory.dmp
memory/2632-163-0x0000000004050000-0x0000000004058000-memory.dmp
memory/2988-172-0x0000000001250000-0x000000000125C000-memory.dmp
memory/2988-174-0x000000001B2E0000-0x000000001B360000-memory.dmp
memory/2988-173-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2988-177-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2008-189-0x00000000000C0000-0x000000000013F000-memory.dmp
memory/1992-191-0x000000001A6E0000-0x000000001A760000-memory.dmp
memory/2008-190-0x00000000000C0000-0x000000000013F000-memory.dmp
memory/2008-187-0x00000000000C0000-0x000000000013F000-memory.dmp
memory/2008-185-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1144-203-0x0000000000F50000-0x000000000103C000-memory.dmp
memory/1144-204-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1144-206-0x0000000000ED0000-0x0000000000F10000-memory.dmp
memory/1992-207-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/1992-208-0x00000000775B0000-0x0000000077759000-memory.dmp
memory/1144-222-0x0000000000D90000-0x0000000000DA0000-memory.dmp
memory/1144-221-0x0000000000EA0000-0x0000000000EB8000-memory.dmp
memory/2748-233-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/2748-235-0x0000000004880000-0x00000000048C0000-memory.dmp
memory/2892-239-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/2600-238-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/2892-236-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/2892-234-0x00000000003B0000-0x00000000003B8000-memory.dmp
memory/1992-219-0x00000000775B0000-0x0000000077759000-memory.dmp
memory/1992-218-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/1144-205-0x0000000004780000-0x00000000047CE000-memory.dmp
memory/2632-200-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/300-180-0x0000000019500000-0x0000000019580000-memory.dmp
memory/300-179-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2632-162-0x0000000003FF0000-0x0000000004002000-memory.dmp
memory/2632-156-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1956-253-0x0000000000340000-0x0000000000356000-memory.dmp
memory/1956-254-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/1992-32-0x0000000001240000-0x0000000001256000-memory.dmp
memory/1956-255-0x000000001B180000-0x000000001B200000-memory.dmp
\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
| MD5 | 946bcc0578afdceb3492e6f7adbf8025 |
| SHA1 | 7bceaceb1d3a82129700a998b1c02ba7bd889a45 |
| SHA256 | feb788de90d647bf23ce5d9e1dfa488f387758b387a5f21608aa0c1524eb7630 |
| SHA512 | d39e9a1866b0a4b094bbb29c234d5851784009eb9f559eba8ac0459c151b0942a39ae069db6e9cd2b453e8bd08ddc805f3ddb51547ec6ca6d9ea73b18c14a76e |
C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe
| MD5 | be7a74e36e4f1446dd8d215712bab116 |
| SHA1 | a1de7c6a30d2d4b6146c7852e585e1e4b966c2cd |
| SHA256 | ee4d85ac224083fe3196c5faecf50c3cbec38e160a6a61ed3fd691cea18947e9 |
| SHA512 | 096b96d9bd5f0a41c4ada6eaf19877c33094140c3219b11cd57087fd90a827f18e885d9151b049b1adfdbfb019021d8a773ee3f115c5414adac860459d07d5bc |
C:\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | 12bc1f0b22b62bd9178940257e24d622 |
| SHA1 | d5ffe5fd91126033c4d487459c027b296d38d8ae |
| SHA256 | b53d64c843ffa21358e24f432a72b1662cbf883e5e28d9f5f10bb9f852c7a245 |
| SHA512 | 8b94b2c5d0b6024463ad9beb5f53dead1a95914540cb3978c6375d714e483ac0f3461ca28a77622cc1d5a5235cc78489d2b45c4590fe3e922da19bc13140210d |
C:\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | 4122138103f3ba540ca5a8f5c2a5e894 |
| SHA1 | 4911af79cc0c3099fb2017ef8397cb88c7b3ffb9 |
| SHA256 | 1342e790b652308857a4ee950ab1827613dae021acf0c38876fec3434133148b |
| SHA512 | 6b3730c0baab356412b454f84d9b0a294714ca4b8ea357d0101bdee1c1df75d44d8066b343a85f955a9a0a439799969874a94bed8804c05b44b20e04b0bbb15d |
\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | ff187b4547f1a2a5ef6eabebf6fc9511 |
| SHA1 | 072eb8ee5f307e150e143606c2119cf389d62a86 |
| SHA256 | 09c528ee407e4cb78d75eeb9935ea6604204578c40293b2beb3227c46de0cbd3 |
| SHA512 | 8f7c73dd12c99a36e6bc8c88f3d44372bf7761a1205c15c64476b22a5e7713c9d3c505024ce5052e2557e7b4ded746fddae32aa21b0907264c1eecff76a0ff15 |
memory/300-257-0x0000000019500000-0x0000000019580000-memory.dmp
memory/1956-259-0x00000000775B0000-0x0000000077759000-memory.dmp
memory/1144-258-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/300-256-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | b7e76ff0e4abb8cdbd3574556f3dff91 |
| SHA1 | 6c14e8cd9ff0256bce300e2799f8a233862c667d |
| SHA256 | e5c66f9c2dd4e491e7f0a1498ecc2565830219312d1f143a40a063a18e04a989 |
| SHA512 | de3444ede76c4a6360686a44b617e2834cefb6d09a35855883962e17909b19bfd420a328ef639e5792b6e2dc620bc46298ead8d6d6aaecf31241c209b4020da1 |
memory/2748-286-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1144-365-0x0000000000ED0000-0x0000000000F10000-memory.dmp
memory/1960-399-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/1960-401-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1960-402-0x000007FEEB7A0000-0x000007FEEC13D000-memory.dmp
memory/1960-406-0x0000000002B0B000-0x0000000002B72000-memory.dmp
memory/2588-414-0x0000000019D30000-0x000000001A012000-memory.dmp
memory/1956-416-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2588-417-0x000007FEEAE00000-0x000007FEEB79D000-memory.dmp
memory/2588-422-0x00000000012C0000-0x0000000001340000-memory.dmp
memory/2684-435-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-438-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-439-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-442-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2684-444-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-446-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-447-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-445-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-443-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-441-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-440-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-437-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-436-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1208-432-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1208-430-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1208-429-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1208-428-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1208-427-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1208-426-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2684-448-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2684-449-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1956-423-0x000000001B180000-0x000000001B200000-memory.dmp
memory/2588-421-0x00000000012CB000-0x0000000001332000-memory.dmp
memory/2588-420-0x000007FEEAE00000-0x000007FEEB79D000-memory.dmp
memory/2588-419-0x000007FEEAE00000-0x000007FEEB79D000-memory.dmp
memory/2588-418-0x00000000012C0000-0x0000000001340000-memory.dmp
memory/2588-415-0x00000000009E0000-0x00000000009E8000-memory.dmp
memory/1960-407-0x000007FEEB7A0000-0x000007FEEC13D000-memory.dmp
memory/2600-405-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1960-404-0x0000000002B04000-0x0000000002B07000-memory.dmp
memory/1960-403-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/1960-400-0x000007FEEB7A0000-0x000007FEEC13D000-memory.dmp
memory/1960-398-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 16:31
Reported
2023-12-31 16:34
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
AsyncRat
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Remcos
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\cmd.exe | N/A |
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Google\GoogleData.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\ProgramData\Google\GoogleData.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Scan.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchosts.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scandlls.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Scandlls.exe | N/A |
| N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\ProgramData\Google\GoogleData.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdater.exe | N/A |
| N/A | N/A | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\ProgramData\Google\GoogleData.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Google\\GoogleData.exe\"" | C:\ProgramData\Google\GoogleData.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChormeUpdt = "\"C:\\Program Files (x86)\\ChromeUpdater\\Updt.exe\"" | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Scan.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3952 set thread context of 4508 | N/A | C:\ProgramData\Google\GoogleData.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2788 set thread context of 4180 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\conhost.exe |
| PID 2788 set thread context of 4784 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\conhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ChromeUpdater\Updt.exe | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ChromeUpdater\Updt.exe | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
| File created | C:\Program Files (x86)\ChromeUpdater\Updt.exe.config | C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Google\GoogleData.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Scandlls.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchosts.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinUpdater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinUpdater.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Google\GoogleData.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ChromeUpdater\Updt.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\system32\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\cmd.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe
"C:\Users\Admin\AppData\Local\Temp\10cae0676fcf60dbbb56266448fff13a2ed236753243f.exe"
C:\Users\Admin\AppData\Local\Temp\Scan.exe
"C:\Users\Admin\AppData\Local\Temp\Scan.exe"
C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
"C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe
"C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files (x86)\ChromeUpdater\Updt.exe
"C:\Program Files (x86)\ChromeUpdater\Updt.exe"
C:\Program Files (x86)\ChromeUpdater\Updt.exe
"C:\Program Files (x86)\ChromeUpdater\Updt.exe"
C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe" /launchSelfAndExit "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 2924 /protectFile
C:\Users\Admin\AppData\Roaming\svchosts.exe
"C:\Users\Admin\AppData\Roaming\svchosts.exe" /watchProcess "C:\Program Files (x86)\ChromeUpdater\Updt.exe" 2924 "/protectFile"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WinUpdater" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp663C.tmp.bat""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdater" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"' & exit
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\ProgramData\Google\GoogleData.exe
C:\ProgramData\Google\GoogleData.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Google\GoogleData.exe"
C:\Users\Admin\AppData\Roaming\WinUpdater.exe
"C:\Users\Admin\AppData\Roaming\WinUpdater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
"C:\Users\Admin\AppData\Local\Temp\Scandlls.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
"C:\Users\Admin\AppData\Local\Temp\Scandlls.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe
"C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| CA | 15.235.3.1:443 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 1.3.235.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| CA | 15.235.3.1:2000 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| CA | 15.235.3.1:2001 | tcp | |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | 96.124.16.104.in-addr.arpa | udp |
| IE | 20.82.228.9:443 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 162.19.139.184:12222 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 23.44.233.195:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.26.9.44:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.16.124.96:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.26.8.44:443 | tcp | |
| US | 104.16.124.96:443 | tcp | |
| N/A | 104.26.8.44:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | 7fbd569b29dce0bacd001fb2ecc0f08a |
| SHA1 | 7d4b90e2288a4b0cc61702c60c556e0eeb18b76b |
| SHA256 | 626572015bcff8b69e1bb3585bc473871daf4721cf6585683a4c71d19070f657 |
| SHA512 | 9fecf0c9518d8e758bf0f187a481447b6f254991e02c81a44c3d113bb893cb3c6ac1c6366187f1774b36710b24b3484bf0ab823bb26262442c75a7849b526865 |
C:\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | eceaf5c00f7b110b165c5cef2a585000 |
| SHA1 | 857ff057e8c0be64854cf687e7ef06824922a5c1 |
| SHA256 | 3e2feee06939ea7664b5ef843f1201abaa72e755e2bac8c5be45fdaa09729eea |
| SHA512 | c20eae4ac8e49fa82b24ce259eef57c0ba1fafde2ccd29edc5c2e8968f044cd67709e8ae0c4c9c0f5ed6141b4550b3ccc90f1869d3af85333b00bb3220e34048 |
C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
| MD5 | 1f7c2b75419325afe2d512d83c353b07 |
| SHA1 | 606abaddc6fbed5aaf951639c243437f3b296139 |
| SHA256 | 44b1337e79a5eea2da3cb5e62ecdeb0cda58161d5dfc2a7b314fd7906d6b3595 |
| SHA512 | f40eefedab8e22d9a6de2c060e5a3d3574fb376af68161fa73e38f1a2ed98df59e0b446c51e86fa8ebae1673bf27d04bc1631e85c2e586c420189b0d8d601736 |
memory/1040-31-0x00007FF8136D0000-0x00007FF814191000-memory.dmp
memory/1040-26-0x0000000000330000-0x0000000000346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe
| MD5 | 85a27241f57165a336c7bc99a2d1792d |
| SHA1 | 44a183ce3f133d089a14cccf806dc937d0cd774f |
| SHA256 | aea2f16363efde496bd87a82e7a85602814ab609e36b8d692aeffa812cea53bd |
| SHA512 | 36787c74c8c34c767a47baebe1c1ca2a1748493bf36e34766aeee767d229906882da78258afa109f68c2e6ca50a2bcf0620eb1b4647b6f8a9b714934e8f4ff79 |
C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe
| MD5 | 1300959832098edba7f4977a3b898555 |
| SHA1 | 1eead2892ec9a5f0afe1f7313ba9f0756b007bcc |
| SHA256 | d3099c00e83657be0de73de1c0c50977818928cb4cea4747e9e8ba0985ee036f |
| SHA512 | af9bac33c046efe8cc15209527f02b0b96540158434b8ade0f5d2c8fc6e7f8346bfb183e0a73754aff1341be5a91cd01e3a4c87218480c5c5bcb5fae0e4e11cf |
C:\Users\Admin\AppData\Local\Temp\Scannerbuilder.exe
| MD5 | 3ea1f38c72519b857fa362d58fa06614 |
| SHA1 | 0bc6740f7c06f74358c4d8a5a0561f7ab33faf06 |
| SHA256 | 7f574680610b5f48c0ed4d7c0aea7fed0da596de2cbc5955df918736b662c77c |
| SHA512 | 96d6f45d7af4bbbf35a398748140178c6dd23fd4bffdd5b45ea48313c9f0d6b6bd7bd9545e745e316c58589b51896aace99b533163c5f502c34f8cf7efbee0d4 |
memory/1504-137-0x0000000072F30000-0x00000000736E0000-memory.dmp
memory/1504-165-0x0000000005770000-0x0000000005780000-memory.dmp
memory/1504-169-0x0000000001580000-0x000000000158E000-memory.dmp
memory/5064-170-0x00007FF811B10000-0x00007FF811F7E000-memory.dmp
memory/1504-171-0x0000000001CC0000-0x0000000001D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
memory/5064-180-0x00007FF823370000-0x00007FF823394000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140_1.dll
| MD5 | 7ac63b858bd544b82f850c9799384deb |
| SHA1 | ece92ca74ab93ee9b2ca9d406a0012160f86267d |
| SHA256 | e49a1701c36cb24f9c21f34743a7960ef7d082d4b6512a21ac1229d349262711 |
| SHA512 | e49ecf2df4d50427ff9c6a6a85d33e01802a0f46cc1fc3a2b419169bfdc6d4939cc3b5b203383cf95e3ebd8abbddc582fae305cfd482ab38e7670a7ea065970d |
memory/5064-202-0x00007FF8108F0000-0x00007FF81091D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\pyexpat.pyd
| MD5 | 5a328b011fa748939264318a433297e2 |
| SHA1 | d46dd2be7c452e5b6525e88a2d29179f4c07de65 |
| SHA256 | e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14 |
| SHA512 | 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87 |
memory/5064-210-0x00007FF8107C0000-0x00007FF8107F4000-memory.dmp
memory/5064-213-0x00007FF823310000-0x00007FF823329000-memory.dmp
memory/5064-214-0x00007FF810830000-0x00007FF8108EC000-memory.dmp
memory/1504-216-0x0000000005670000-0x0000000005682000-memory.dmp
memory/1504-218-0x0000000005C00000-0x0000000005C22000-memory.dmp
memory/5064-231-0x00007FF810590000-0x00007FF8105D2000-memory.dmp
memory/4232-239-0x0000000000A90000-0x0000000000A9C000-memory.dmp
memory/5064-240-0x00007FF8230E0000-0x00007FF8230EA000-memory.dmp
memory/4232-242-0x00007FF8136D0000-0x00007FF814191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ssl.pyd
| MD5 | 89bfd56b58e9fabbbf63fa6c889b01af |
| SHA1 | bdf16d8c71bec9ce95503359c195452671b32b29 |
| SHA256 | f697d4415d3dc9e76c0bcefb3579d6c7c9ce61be2ecb2b1681f45d0712ca529f |
| SHA512 | 8e0945ede6d1ed9e7db357ba0d277d40a3b7cace6714c7e448b5c35eda1e7e02b12b435ab31f2411433210fdc1263b141187e22dfae35b793ba7a7884c9c8009 |
C:\ProgramData\Google\GoogleData.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4232-251-0x00000000012A0000-0x00000000012B2000-memory.dmp
memory/5064-255-0x00007FF80DAA0000-0x00007FF80DACE000-memory.dmp
memory/4508-258-0x00000000009B0000-0x0000000000A2F000-memory.dmp
memory/4508-261-0x00000000009B0000-0x0000000000A2F000-memory.dmp
memory/4508-268-0x00000000009B0000-0x0000000000A2F000-memory.dmp
memory/4508-271-0x00000000009B0000-0x0000000000A2F000-memory.dmp
memory/5064-276-0x00007FF80D980000-0x00007FF80D98C000-memory.dmp
memory/5064-278-0x00007FF80D250000-0x00007FF80D25C000-memory.dmp
memory/5064-283-0x00007FF810580000-0x00007FF81058C000-memory.dmp
memory/5064-288-0x00007FF80FA90000-0x00007FF80FAA0000-memory.dmp
memory/2864-290-0x00007FF8136D0000-0x00007FF814191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\downloads_db
| MD5 | 858366ad492758c172e1680fc1a8027a |
| SHA1 | e970e361faa05d235ce6a847f3ae43cb1d85a514 |
| SHA256 | c283ff6b0d7682a6df5b6dce317094cf455ebe82cfeff3e9f04d17e587a3c2a8 |
| SHA512 | db003c83bea8fc1f5d0f5d2db6022c3848b2a1b87949c409018e0c34f91d43ddcfea6d521ef251022f9558a9832c10ca58597ea586c1124c4962b311600532a0 |
memory/5064-333-0x00007FF80BCA0000-0x00007FF80BE11000-memory.dmp
memory/5064-332-0x00007FF821180000-0x00007FF82119F000-memory.dmp
memory/5064-331-0x00007FF80D240000-0x00007FF80D24C000-memory.dmp
memory/5064-330-0x00007FF822180000-0x00007FF822194000-memory.dmp
memory/5064-329-0x00007FF81E670000-0x00007FF81E67B000-memory.dmp
memory/5064-305-0x00007FF80D390000-0x00007FF80D705000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\downloads_db
| MD5 | 82a46e388f7041c6ee550535786af506 |
| SHA1 | bf8b67213bee3a2e73ae09613f2ae7cd4e129c10 |
| SHA256 | 3a427e1dbf18e06edaebe78c90cf39fc1c37988f72a3615bf306dfd89ac6689c |
| SHA512 | 0d4ff85ef476e3840fbf17278ecc4525128336a8d243941eb193efbb199a9c27c7e2a60696a96aa0927bb29a1ecd1e34e5cac34800ac575ddb5b708636720339 |
memory/2864-289-0x000000001A5D0000-0x000000001A6DA000-memory.dmp
memory/5064-287-0x00007FF80FAA0000-0x00007FF80FAB5000-memory.dmp
memory/5064-286-0x00007FF810540000-0x00007FF81054C000-memory.dmp
memory/5064-285-0x00007FF810550000-0x00007FF810562000-memory.dmp
memory/5064-284-0x00007FF810570000-0x00007FF81057D000-memory.dmp
memory/5064-280-0x00007FF81E680000-0x00007FF81E68C000-memory.dmp
memory/5064-279-0x00007FF81E690000-0x00007FF81E69B000-memory.dmp
memory/5064-277-0x00007FF80D260000-0x00007FF80D26E000-memory.dmp
memory/5064-275-0x00007FF80D990000-0x00007FF80D99B000-memory.dmp
memory/5064-274-0x00007FF80D9A0000-0x00007FF80D9AC000-memory.dmp
memory/5064-272-0x00007FF819C30000-0x00007FF819C3C000-memory.dmp
memory/5064-273-0x00007FF8147D0000-0x00007FF8147DB000-memory.dmp
memory/4232-270-0x00007FF8136D0000-0x00007FF814191000-memory.dmp
memory/5064-269-0x00007FF80D270000-0x00007FF80D388000-memory.dmp
memory/5064-264-0x00007FF80D9B0000-0x00007FF80D9D3000-memory.dmp
memory/5064-263-0x00007FF8218A0000-0x00007FF8218AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_hashlib.pyd
| MD5 | 24291e4d9e081acd724db94268856fc3 |
| SHA1 | 7b532b361d3141bcc35e300792296cda214e8c45 |
| SHA256 | e108c46c9dd6299bb794445b740b0593d3678e28f8502f42b308f81b060768ff |
| SHA512 | 301e6be236e689ebeabbad416e0183a7a8a4672b9654636cb887191a4cdc4265c82a4ec869028510673fb082cedfe537da48479242859aee45cba6da3a9168fb |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_hashlib.pyd
| MD5 | d837e00239485ed6a6d91df5c3035ed6 |
| SHA1 | c03df6e5a22ea412eff252d71c279faa37da43b1 |
| SHA256 | 34905839c57dabb858fd60a338efb453f22b5225092cfa42555cc91bae0f106b |
| SHA512 | 3f541d2e9fb970766c385bc52721026fde001939a3c56efd8c4327562944925abd980ed1c2c0dfb2bf7acafe8ccf5f7cc774e1396529b255654193d473690c1c |
memory/5064-262-0x000002E0F2B50000-0x000002E0F2EC5000-memory.dmp
memory/5064-257-0x00007FF80D9E0000-0x00007FF80DA98000-memory.dmp
memory/4232-256-0x0000000002BE0000-0x0000000002C1C000-memory.dmp
memory/4232-250-0x0000000001270000-0x0000000001280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libssl-1_1.dll
| MD5 | 4decec176a376f6e2d8e8fd34a73f3f2 |
| SHA1 | e106443defd8d2f884378071982f4449caeb319a |
| SHA256 | 7f245c2444f35501f8290b0f148de27106a1caa9921959de9ea90a9181cb2ca0 |
| SHA512 | 263ffc57e1c6a223d372ab9b0a077512e1740c285fb7867941e17683b17f69af1d211344eb18e352e5af9eed9220e68fe81f97598f45616e4b6a7bdc80c1e11e |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libcrypto-1_1.dll
| MD5 | dbb26cb64d27ab8cdace2379c6310f0c |
| SHA1 | b13f32273e423ed12ccaeeb712bf23b15b3cbe5a |
| SHA256 | 8c527668f41b5652eff201f017a106533b7747c74fca71bb7f68b514ab17672a |
| SHA512 | 3fc719cbf5f895c01ac7b42fded8afe7d6d3476c43c9140f5be8114e20df4cfa06af93bd577363588e9fd0b705d2752b38b188f2a078101a4f7ea4ac50d2811a |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libcrypto-1_1.dll
| MD5 | 85c48174c016b0be890fd32aaa7d0253 |
| SHA1 | da238e44a5f3ffd075b14e2c44e9a52a595eb137 |
| SHA256 | a80cd8c5f186fc436152014eb98b69c4f3fda249c295dbe9c49839d8b0765a84 |
| SHA512 | 7a4a5057efdd56034f0316dab5a24f44a0b44994f3e0fb9a06ed07c7c0e4f2ff78a24968ab59d0442a45ccbb9c56e8f5c088d767c4417764c3aaffa37c6f7771 |
C:\ProgramData\Google\GoogleData.exe
| MD5 | 38b45dd434a1dc874ea2feb05af5cd0b |
| SHA1 | a390d36bf0e9b206df62793a91728641be59b96f |
| SHA256 | a7206dc961c6fa75c2c84a3ac4100d5fec8d9112101ebfb85c437665c2189a26 |
| SHA512 | 9ccb940ea0200080ef954cf09ad2d8c196271c3265e664d3cd0307afba6b9cbb6070f9026ab378d11354a5fe3dfa7fb062240fc48e6fe7be77c239020244b53c |
memory/5064-246-0x00007FF822910000-0x00007FF82292C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libcrypto-1_1.dll
| MD5 | 02d8b8a47bf7771e9ad2f5227f04950e |
| SHA1 | 945bee2b7863feac1074a8b21759fa865d91ce64 |
| SHA256 | 81c53a79cf5428955c97dba3f79161bc996b45d6854f7ac058c23b782712379d |
| SHA512 | 63b09fbc7c6cbabd87a6c9cd4b19a3dab131bd9ce1ff99ca58d44909a9cc93785a683871a40701822f1c2ede572c0d28ddcdfc6acef1cdcf1d814986b17d7296 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ssl.pyd
| MD5 | a17c258be66018aa5908028fc118a7a2 |
| SHA1 | e7ace78570fa05b80b23f749df195b0ebf2ebffa |
| SHA256 | 07fed4a8ee591ce658e302bfce6748a3762763fa63aee07aca781e7202fe62ca |
| SHA512 | 4bd4483e1fffb42b2838f9f9d740ee9be7c809c63306f014dc3055016220ef702a99b584b51d02cd53558027623bed766c35ee3d6ba408f98f1e314d8181f3a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libssl-1_1.dll
| MD5 | f2ebdec5bc34e8f4ebd8cbedc7947403 |
| SHA1 | 97faf48cab48cfbc488b69416c25d21022083bb6 |
| SHA256 | 1d9d0e91fc0e7540bb0a7d45111174db9d2ea763a777cf284c5c1096b72149eb |
| SHA512 | a292a40e02feb63cf6eeced0ee605ecf2cf12d124db93136c0fcc781ae39397c5bd975dd655ffa1bcaf7989cd01ea19b0440b3173b5be86587e2d3a3085c623e |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\psutil\_psutil_windows.pyd
| MD5 | fb17b2f2f09725c3ffca6345acd7f0a8 |
| SHA1 | b8d747cc0cb9f7646181536d9451d91d83b9fc61 |
| SHA256 | 9c7d401418db14353db85b54ff8c7773ee5d17cbf9a20085fde4af652bd24fc4 |
| SHA512 | b4acb60045da8639779b6bb01175b13344c3705c92ea55f9c2942f06c89e5f43cedae8c691836d63183cacf2d0a98aa3bcb0354528f1707956b252206991bf63 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_uuid.pyd
| MD5 | 81dfa68ca3cb20ced73316dbc78423f6 |
| SHA1 | 8841cf22938aa6ee373ff770716bb9c6d9bc3e26 |
| SHA256 | d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190 |
| SHA512 | e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_decimal.pyd
| MD5 | eb45ea265a48348ce0ac4124cb72df22 |
| SHA1 | ecdc1d76a205f482d1ed9c25445fa6d8f73a1422 |
| SHA256 | 3881f00dbc4aadf9e87b44c316d93425a8f6ba73d72790987226238defbc7279 |
| SHA512 | f7367bf2a2d221a7508d767ad754b61b2b02cdd7ae36ae25b306f3443d4800d50404ac7e503f589450ed023ff79a2fb1de89a30a49aa1dd32746c3e041494013 |
memory/1504-217-0x0000000005680000-0x0000000005688000-memory.dmp
memory/5064-215-0x00007FF810800000-0x00007FF81082B000-memory.dmp
memory/5064-212-0x00007FF823330000-0x00007FF823349000-memory.dmp
memory/5064-211-0x00007FF8230F0000-0x00007FF8230FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\win32api.pyd
| MD5 | 561f419a2b44158646ee13cd9af44c60 |
| SHA1 | 93212788de48e0a91e603d74f071a7c8f42fe39b |
| SHA256 | 631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7 |
| SHA512 | d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c |
memory/1040-204-0x0000000002470000-0x0000000002480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_queue.pyd
| MD5 | 0d267bb65918b55839a9400b0fb11aa2 |
| SHA1 | 54e66a14bea8ae551ab6f8f48d81560b2add1afc |
| SHA256 | 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c |
| SHA512 | c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56 |
memory/1504-201-0x0000000005690000-0x0000000005722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\pythoncom310.dll
| MD5 | 9051abae01a41ea13febdea7d93470c0 |
| SHA1 | b06bd4cd4fd453eb827a108e137320d5dc3a002f |
| SHA256 | f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399 |
| SHA512 | 58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da |
memory/5064-199-0x00007FF822930000-0x00007FF82295E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\pythoncom310.dll
| MD5 | 4febeb38111af22586a2b7381ce5361b |
| SHA1 | 3879e68fecb66611791977c3cebb95d3c51889d1 |
| SHA256 | ab36b541c94d757050306bba192417b59840b09456df74681040669bf171dabe |
| SHA512 | 89cd82abf626d649b5146b3b9c83fbf69cd07404b01370b9f9d56b03516f1ff9cf70fb40392b95ab2b46ec98bb6434754729d52c2e63b5072ac28932b97a5592 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_lzma.pyd
| MD5 | abceeceaeff3798b5b0de412af610f58 |
| SHA1 | c3c94c120b5bed8bccf8104d933e96ac6e42ca90 |
| SHA256 | 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e |
| SHA512 | 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_bz2.pyd
| MD5 | 758fff1d194a7ac7a1e3d98bcf143a44 |
| SHA1 | de1c61a8e1fb90666340f8b0a34e4d8bfc56da07 |
| SHA256 | f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708 |
| SHA512 | 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\pywintypes310.dll
| MD5 | 6f2aa8fa02f59671f99083f9cef12cda |
| SHA1 | 9fd0716bcde6ac01cd916be28aa4297c5d4791cd |
| SHA256 | 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6 |
| SHA512 | f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\select.pyd
| MD5 | 72009cde5945de0673a11efb521c8ccd |
| SHA1 | bddb47ac13c6302a871a53ba303001837939f837 |
| SHA256 | 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca |
| SHA512 | d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_socket.pyd
| MD5 | afd296823375e106c4b1ac8b39927f8b |
| SHA1 | b05d811e5a5921d5b5cc90b9e4763fd63783587b |
| SHA256 | e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007 |
| SHA512 | 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369 |
memory/1504-183-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/5064-182-0x00007FF829090000-0x00007FF82909F000-memory.dmp
memory/5064-191-0x00007FF823D90000-0x00007FF823D9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ctypes.pyd
| MD5 | 6ca9a99c75a0b7b6a22681aa8e5ad77b |
| SHA1 | dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8 |
| SHA256 | d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8 |
| SHA512 | b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\base_library.zip
| MD5 | 066acf6fa1ef401bf183316270f3c92c |
| SHA1 | a776da7e2c008227b22068cae3b449e4ea00e4f8 |
| SHA256 | 8a108cd494419962c96cdb6714b07d4f46c9809466a967d7852d9132eabf3956 |
| SHA512 | bd22efa61be76349bd3a1d99cc7ab17f7d0a34eadc2c8f82b9c430d187908a502241c139ebce3d63abb117fdd3dbfdcb495ad8a68153e57ca7ff81b9144091fc |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140.dll
| MD5 | 70a26d7e5ec781f8b1a66020e447b37f |
| SHA1 | 5b687bf7db61f262926491d3ce85fb439ba17427 |
| SHA256 | 7bbb62f956f6d8be1e4ec99f8eed4462cc57320489a60cbed3f5858daf9d4951 |
| SHA512 | 2b9793766d70d15fa9438e0cc05a92dc8a337a96279f06c8fb906d430f5e0975ccc11d57c1d3a375c6dfb4c8163a4e8027a6d59dca2750c1ff628685bf284031 |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\python310.dll
| MD5 | efbf73044b917b773dea518b4ee93e2c |
| SHA1 | 7b85906d8654e5063384300c8dd86d20163f1590 |
| SHA256 | 3814b4d1f4de4463d1517928d91eb3c5bca1fe420a4556c278d6b83e16b762b8 |
| SHA512 | 19dd8e32973b787bf4e6de299de23d9384b7f12a694133437c860da9ac9735dff4de3d0f4ccc9bce16c6e030c4cd410bdd6372701fff406e926f84caa1610bbd |
C:\Users\Admin\AppData\Local\Temp\_MEI22962\python310.dll
| MD5 | ced20c31d84d31e0971e2b06da96582d |
| SHA1 | 473f6d50edbefaf718f08ed6b879235d7bb4568e |
| SHA256 | c29b1bd14ff177ad9f0c4629a7903eeba03c003b6ae10a8507efcfc869ae5114 |
| SHA512 | 76f6bcd3a3eea8afc844a44edd80f8dab015d7a66bfb4f7a1abe913d57139d5983f664b6cef72b50db55e88380ab8775c8a83108d91dafa89b7dc348bc29d3cf |
memory/1504-136-0x0000000000BE0000-0x0000000000CCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
| MD5 | 7fa442117040fd4135b0db26d2e24699 |
| SHA1 | 551824c8766de076772f6cbd5f4bbab9cac1ba60 |
| SHA256 | fdbeea263db2ff6593b4ba5e0eabddf2fa4202481bde55ab858fd63ea3a83ab8 |
| SHA512 | c0da75c98a7a87f5398535fb9111287fb0a48258e013337d4295fb5d9955339d369491e71491cfc7896de93e20dc850c9d15e56a11e0f6eb63a8827e2d773f25 |
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
| MD5 | bf62d3360f6e3d1f7d4d2b440c4feed0 |
| SHA1 | a1aed19974e7d3cfc3b872a6acbef79ad8ed942f |
| SHA256 | bf924e51f27f9f71360678dfc1843ffe780e037ba8945fced3955d3eb60f73ea |
| SHA512 | dee13be90c656007b317f3537c55c1656495bf8057e778b9d84cd3e66ba61bf92e49f284e59c9528e7a61396f6e188f65b0e36544ad72044dd0aa4d31ba0f0bf |
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | c6261c75e3e653107445c70ac360d77c |
| SHA1 | b5bf940e85bbdbdf07359cfcaf59f6ab8575c55d |
| SHA256 | ff4215bb095d98b5465de151b590b1479a6fa64b30271bb23259dd41d28ae690 |
| SHA512 | d5c81811b70a49d426433578a6edb4086c6486b44302518c9901306be06762cced7997a8c70091b8ca4cf1774efce2c756b4dcce7d210d31a59c53ec8e21dec7 |
C:\Users\Admin\AppData\Local\Temp\Scandlls.exe
| MD5 | 96e48701e6a04126d33721f8c68705a4 |
| SHA1 | 5a6ce53394c9fed13d4425787f4fed9825873952 |
| SHA256 | 3342e5038d450a0d3a95af1fab4115c9289cd1d870888c0cc9a84030afd38c8a |
| SHA512 | 95ec7349946c1d2f0ebccdd1e1449469997c9dc523fa90f34cbe30602fea37b38d617597f52b65d42cbc8370760ce5e82a53f031578d8fe8353f9950176f86ea |
C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
| MD5 | d9ada92155915a30b6c69b83ba4e2956 |
| SHA1 | 902c6c3b73612d33dabcbb242eae69da090f808c |
| SHA256 | 5f73fb3970e155ed35cf7a941cde7003eba5994b03bb58b3c6262274880973ab |
| SHA512 | df761fd70055c6ab970dd355303e2548e77632df17adaf6d89cb8fcad60e53537259130934c0033acbc0247d317374153d1b575c4b4bc1a4c7e8da658de7e457 |
C:\Users\Admin\AppData\Local\Temp\ScanCompiler.exe
| MD5 | ffa9d14b00d34ff0d458b73d986b3766 |
| SHA1 | 9a323ffc7196367ab1e297123b4d9a9f1e9143df |
| SHA256 | 5722782454baf123cc22a8cbe4ad7b9a24e2e51dd94736cce393bed099200976 |
| SHA512 | 9b9a3c1670c5ac182a52f4f055a077bed185a170fc14e8ac59f896ed9f3f8dd9f7ef99b094953d18953b7f75b7f8734f2f672a874010f93e8a7a09fc4b9fed7b |
C:\Users\Admin\AppData\Local\Temp\ScanBackup.exe
| MD5 | be7a74e36e4f1446dd8d215712bab116 |
| SHA1 | a1de7c6a30d2d4b6146c7852e585e1e4b966c2cd |
| SHA256 | ee4d85ac224083fe3196c5faecf50c3cbec38e160a6a61ed3fd691cea18947e9 |
| SHA512 | 096b96d9bd5f0a41c4ada6eaf19877c33094140c3219b11cd57087fd90a827f18e885d9151b049b1adfdbfb019021d8a773ee3f115c5414adac860459d07d5bc |
C:\Users\Admin\AppData\Local\Temp\Scan.exe
| MD5 | 53973398d410bb35eb247a25d162e41d |
| SHA1 | 140a6461a00aadbd6c2d1b986a647bb7813a3a12 |
| SHA256 | 2905e081e10691e065f10cfe48004d75a81c6ea3554972b5f6cb175ba7a2878a |
| SHA512 | 38d3a40c880ed327f07337723653b771bf8474f09737c862541d1c2be26bf2751a4af177f22b9d2e6928c842b739bec97c9e3587ec26bd5118298753cc68a7cb |
memory/5064-423-0x00007FF822930000-0x00007FF82295E000-memory.dmp
memory/5064-426-0x00007FF810830000-0x00007FF8108EC000-memory.dmp
memory/5064-419-0x00007FF823370000-0x00007FF823394000-memory.dmp
memory/5064-418-0x00007FF811B10000-0x00007FF811F7E000-memory.dmp
memory/4180-524-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4180-528-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4180-531-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4784-534-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4784-535-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4784-537-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4784-536-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4784-533-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4784-532-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4180-527-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4180-526-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4180-525-0x0000000140000000-0x000000014000E000-memory.dmp