Analysis Overview
Threat Level: Likely malicious
The file https://mega.nz/file/sn1DBLJD#sN_N51-SjhbxAoe65QdXFW5k_LCk3OO3gnRvYMIyKWc was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 10:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 10:58
Reported
2024-06-09 10:59
Platform
win10v2004-20240508-en
Max time kernel
68s
Max time network
63s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| N/A | N/A | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe | N/A |
| N/A | N/A | C:\ProgramData\active\LZMYBCTLTD.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/sn1DBLJD#sN_N51-SjhbxAoe65QdXFW5k_LCk3OO3gnRvYMIyKWc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4908,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4852,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5284,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5476,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5944,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5976,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --field-trial-handle=5968,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6368,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x3d0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6932,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=4428,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7188,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7352,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\" -spe -an -ai#7zMap26532:132:7zEvent10442
C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe
"C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\BLTools 2.9.1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s45w.0.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6804,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:8
C:\ProgramData\active\LZMYBCTLTD.exe
"C:\ProgramData\active\LZMYBCTLTD.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LZMYBCTLTD" /tr C:\ProgramData\active\LZMYBCTLTD.exe /f
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\x64\PyInjector-x64.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.145.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 2.18.121.10:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CZ | 2.19.217.218:443 | www.microsoft.com | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 66.203.124.37:443 | eu.static.mega.co.nz | tcp |
| LU | 66.203.124.37:443 | eu.static.mega.co.nz | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.217.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.124.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | postnav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | postnav-edge.smartscreen.microsoft.com | udp |
| LU | 66.203.124.37:443 | eu.static.mega.co.nz | tcp |
| GB | 13.87.96.169:443 | postnav-edge.smartscreen.microsoft.com | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | 14.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xpaycdn.azureedge.net | udp |
| US | 8.8.8.8:53 | xpaycdn.azureedge.net | udp |
| US | 8.8.8.8:53 | xpayeccdn.azureedge.net | udp |
| US | 8.8.8.8:53 | xpayeccdn.azureedge.net | udp |
| US | 13.107.246.64:443 | xpayeccdn.azureedge.net | tcp |
| US | 13.107.246.64:443 | xpayeccdn.azureedge.net | tcp |
| US | 13.107.246.64:443 | xpayeccdn.azureedge.net | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | gfs240n104.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs240n104.userstorage.mega.co.nz | udp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 14.89.30.69.in-addr.arpa | udp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.14:443 | gfs240n104.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | dl-edge.smartscreen.microsoft.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
Files
memory/5396-12-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5396-13-0x00000000774F4000-0x00000000774F6000-memory.dmp
memory/5396-15-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5396-14-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5396-17-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5396-16-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5396-18-0x00000000008B0000-0x0000000000F39000-memory.dmp
memory/5572-19-0x00000000051C0000-0x00000000051F6000-memory.dmp
memory/5572-20-0x0000000005830000-0x0000000005E58000-memory.dmp
memory/5532-23-0x0000000005500000-0x0000000005566000-memory.dmp
memory/5532-22-0x00000000053A0000-0x0000000005406000-memory.dmp
memory/5532-21-0x0000000004C90000-0x0000000004CB2000-memory.dmp
memory/5532-24-0x0000000005670000-0x00000000059C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kp4c2hv.dok.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5572-44-0x0000000006760000-0x00000000067AC000-memory.dmp
memory/5572-43-0x0000000006730000-0x000000000674E000-memory.dmp
memory/5572-46-0x000000006FF40000-0x000000006FF8C000-memory.dmp
memory/5572-45-0x0000000007900000-0x0000000007932000-memory.dmp
memory/5532-57-0x000000006FF40000-0x000000006FF8C000-memory.dmp
memory/5572-63-0x0000000007940000-0x00000000079E3000-memory.dmp
memory/5572-56-0x0000000006D00000-0x0000000006D1E000-memory.dmp
memory/5572-69-0x0000000007A60000-0x0000000007A7A000-memory.dmp
memory/5572-68-0x00000000080B0000-0x000000000872A000-memory.dmp
memory/5572-70-0x0000000007AE0000-0x0000000007AEA000-memory.dmp
memory/5572-71-0x0000000007CE0000-0x0000000007D76000-memory.dmp
memory/5572-72-0x0000000007C60000-0x0000000007C71000-memory.dmp
memory/5532-73-0x0000000007190000-0x000000000719E000-memory.dmp
memory/5572-74-0x0000000007CA0000-0x0000000007CB4000-memory.dmp
memory/5572-75-0x0000000007DA0000-0x0000000007DBA000-memory.dmp
memory/5572-76-0x0000000007D80000-0x0000000007D88000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 967224b7af46e836d972047a08ec598a |
| SHA1 | 95a9e33fcd35403fe8c424881ae5e83bbd5a3f75 |
| SHA256 | 9c5cdbdb0f589cec970dc3ff966c744ad57397cb04279e2ba8f91584a9f60acd |
| SHA512 | dc731607ee4a2e0a8c0ab2d3f2f55f3820b5c65634344f0dc7be3921d94671c3d225d2b1441df076c2f65cf73733cbb595c8d7a3141ac036c7558b3dd3212f33 |
memory/5396-87-0x00000000008B0000-0x0000000000F39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s45w.0.bat
| MD5 | 6d38c2a06767c15757cb5952aa8df1a0 |
| SHA1 | 181d86067e6d5d1589e188e40b798296db118d30 |
| SHA256 | 42bb331d2e8aac44651e04cf4e7fb8e788dac54dd115cb6f24c6e93378fd8311 |
| SHA512 | 8776740dfbdaa20b678973228f8c1a84b65ae4abc72d9c5404def7f5f53eb2db5820caa12525e1b8caf92d3e5e8aa8d0ad020d5842c7b1cd6a8e601a133f986f |
memory/5136-92-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5136-94-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5136-95-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5136-93-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5136-96-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5184-97-0x0000000005EB0000-0x0000000006204000-memory.dmp
memory/5184-117-0x000000006FF40000-0x000000006FF8C000-memory.dmp
memory/1508-127-0x000000006FF40000-0x000000006FF8C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bfe53f0db0725865f9a035a447f826a |
| SHA1 | 9ad30cc73b38908f8559e7bfe36b8ef266c42b80 |
| SHA256 | fbaded8db28eb621d8fcf0a949cb3234be5bc335f66405de5e39766d817e4601 |
| SHA512 | d848f11f69ed03d4f29ee4bcadf61138103401a4e122779f3eca0c69f31c4d5c8f6aca1c58d95dcb8b14693eadc84f20ff2d40c63b9ad1849208f28dd8da183a |
C:\Users\Admin\Downloads\BLTools 2.9.1 PRO Cracked by Twizzy\x64\PyInjector-x64.dll
| MD5 | 3134f8652d4229607bffe7b993f19d15 |
| SHA1 | 5c51ae7856aa80e3db1a582e6870ece9f9a81485 |
| SHA256 | 0839d2cba232d4219b7e70bc5c8eaeff53a2719750b1c0dabd2b68bc4099274d |
| SHA512 | 82c1514f8579ee9a95d757754e2ae6c832930bd72b8e7fea6be68c36f9857a9424e2b6776d54d21edaef5085f1699861bba2a459eaf54eb60677a760a61cb8ee |
memory/5136-141-0x00000000004E0000-0x0000000000B69000-memory.dmp
memory/5136-142-0x00000000004E0000-0x0000000000B69000-memory.dmp